Command Line Reference

In This Section:

Changing the Context

Use the set virtual-system or vsenv command to change context to a different virtual device.

set virtual-system - Run from the CLI
vsenv - Run from Expert mode

Syntax

set virtual-system <vsid>

vsenv <vsid>

Parameter	Description
vsid	ID of the virtual device.

Example

set virtual-system 3

Output

Context is set to vsid 3

VSX Gaia CLI Commands

This section describes how to use Gaia CLI commands on VSX Gateways. For more about Gaia CLI commands, see the R76 Gaia Administration Guide.

Many CLI commands for VSX are run on each context (virtual device) separately. Change the context to a different virtual device and then run the command.

Configuring Roles on virtual devices

Configure roles permissions for users on each virtual device. When you create virtual devices, they do not receive any role permissions. You can use the CLI to:

Add a new role definition to a virtual device.
Delete a role definition from a virtual device or all the virtual devices.

R76 VSX does not support the Gaia WebUI. You cannot configure role permissions for the WebUI.

For more about configuring roles, see the R76 Gaia Administration Guide.

Syntax

add rba role <name> virtual-system-access <vsid>

delete rba role <name> virtual-system-access <vsid|all>

Parameter	Description
name	Role name as a character string that contains letters, numbers or the underscore (_) character. The role name must start with a letter.
vsid	ID of the virtual device. Use commas to enter multiple virtual devices.
all	Deletes access permissions to all virtual devices.

Example

add rba role newRole domain-type System all-features

add rba role newRole virtual-system-access 0,2,3

Adding Roles

Use the CLI to create and configure roles for the VSX Gateway. Assign virtual devices to a role, so that the users of that role can access them.

To create roles for a VSX Gateway:

Create the role. Run add rba role
Add virtual devices to the role. Run add rba role <name> virtual-system-access <vsid>
Save the role. Run save config

This is an example of creating roles.

GizaVSXGW1:0> add rba role newRole domain-type System all-features

GizaVSXGW1:0> add rba role newRole virtual-system-access 0,2,3

GizaVSXGW1:0> save config

Adding Users

Use the CLI to create new users and assign them to a role.

To add users to a role:

Create the user. Run add user <username> uid <user-id> homedir <home directory path>
Create a password for the user. Run set user <username> password
Add the user to a role. Run add rba user role <role name>
Save the user. Run save config

This is an example of creating users.

GizaVSXGW1:0> add user user1 uid 160 homedir /home/user1

WARNING Must set password and a role before user can login.

- Use 'set user USER password' to set password.

- Use 'add rba user USER roles ROLE' to set a role.

- Use 'add rba role ROLE virtual-system-access' to set allowed virtual-system role.

GizaVSXGW1:0> set user user1 password

New password:

Verify new password:

GizaVSXGW1:0> add rba user user1 roles newRole

Adding or Deleting virtual devices to a Role

Use the add and delete rba role commands to configure the role permissions for virtual devices.

Syntax

add rba role <name> virtual-system-access <vsid>

delete rba role <name> virtual-system-access <vsid|all>

Parameter	Description
name	Role name as a character string that contains letters, numbers or the underscore (_) character. The role name must with a letter.
vsid	ID of the virtual device. Use commas to enter multiple virtual devices.
all	Deletes access permissions to all virtual devices.

Example

add rba role newRole virtual-system-access 0,2

delete rba role newRole virtual-system-access all

Showing virtual devices

Use the virtual-system command to show the virtual devices on the VSX Gateway.

Syntax

show virtual-system all

Output

Virtual Systems list

VS ID       VS NAME

0           VSX_GW

1           VSX_GW1_VSW

2           VS1

3           VS2

CoreXL Commands (fw ctl affinity)

This section explains how to use the fw ctl affinity command to set affinities in VSX. When you run this command, VSX automatically creates or updates the affinity configuration files. All affinity configurations are saved even after you reboot the VSX Gateway.

Affinity Exceptions

There are processes that are affinity exceptions and are not included in the affinity commands that you run. The $FWDIR/conf/vsaffinity_exception.conf file contains the list of processes that are affinity exceptions.

Important - Do not add Check Point processes to this list. Doing so can make the system unstable.

You cannot set affinity to kernel threads.

Affinity Priorities

When there is a conflict between affinities, there are priorities that are used to determine which CPU affinity is used. This is the priority order from highest to lowest:

Firewall instance
Process
Virtual System

Setting Affinities

Run the fw ctl affinity command to set these CPU affinities:

Firewall instance
Process
Virtual System

You must be in Expert mode to run the fw ctl affinity command.

Firewall Instance for each Virtual System

Set the affinity of firewall instances to one or more CPUs for each Virtual System separately.

Syntax

fw ctl affinity -s -d {-inst <instances> -cpu <cpus>|-fwkall <cores>}

Parameter	Description
<instances>	Number range of firewall instances that you are setting affinity. Use a dash to set a range of instances.
<cpus>	Number range of CPU processing cores that you are setting affinity. Use a dash to set a range of cores.
<cores>	Number of cores that are used for CPU affinity. You cannot use this parameter to assign specific cores to the firewall instances.

Example

vsenv 1

fw ctl affinity -s -d -inst 0 2-4 -cpu 0-2

fw ctl affinity -s -d -fwkall 3

Output

VDevice 1: CPU 0 1 2 - set successfully

Notes

You can use this command with the -fwkall parameter from any context.

Firewall Instance for all Virtual Systems

Use the -fwkall parameter to set the affinity of all the firewall instances to all the Virtual Systems.

Syntax

fw ctl affinity -s -d -fwkall <cores>

Parameter	Description
<cores>	Number of cores that are used for CPU affinity. You cannot use this parameter to assign specific cores to the firewall instances.

Example

fw ctl affinity -s -d -fwkall 3

Output

VDevice 0-2 : CPU 3 4 5 6 7 - set successfully

Notes

You can use this command with the -fwkall parameter from any context.

Processes

Set the affinity of processes to one or more CPUs. You can use the -vsid parameter to set the affinity for a process to Virtual Systems in any context. If you do not use the -vsid parameter, the affinity of the current context is set.

Syntax

fw ctl affinity -s -d -pname <process> [-vsid <vsids>] -cpu <cpus>

Parameter	Description
process	Name of process that you are setting affinity.
vsids	Virtual System IDs that you are setting affinity for this process. Use a dash to set a range of Virtual Systems.
cpus	Number range of CPU processing cores that you are setting affinity. Use a dash to set a range of cores.

Example

fw ctl affinity -s -d -pname cpd -vsid 0-1 -cpu 0 2

Output

VDevice 0-1 : CPU 0 2 - set successfully

Virtual Systems

Set the affinity of the Virtual Systems to one or more CPUs. You can use the -vsid parameter to set affinity to the specified Virtual Systems. If you do not use the -vsid parameter, the affinity of the current Virtual System is set.

Syntax

fw ctl affinity -s -d [-vsid <vsids>] -cpu <cpus>

Parameter

Description

vsids

Virtual System IDs that you are setting affinity.

Use a dash to set a range of Virtual Systems.

cpus

Number range of CPU processing cores that you are setting affinity.

Use a dash to set a range of cores.

Example

fw ctl affinity -s -d -vsid 0-1 -cpu 0 2

Output

VDevice 0-1 : CPU 0 2 - set successfully

Affinity Monitoring

You can monitor the affinity of processes and Virtual Systems on the VSX Gateway.

Monitoring Processes

Monitor the affinity of processes on the VSX Gateway. You can use the -vsid parameter to show the affinity for a process to the specified Virtual Systems.

Syntax

fw ctl affinity -l -x [-vsid <vsids>] [-flags [e|h|k|n|t]

Parameter	Description
vsids	Shows the affinity for processes for these Virtual System IDs. Use a dash to set a range of Virtual Systems.
e	Do not show processes that are affinity exceptions. Affinity exceptions are configured in the `$FWDIR/conf/vsaffinity_exception.conf` file.
h	Show CPU affinity mask in hexadecimal format.
k	Do not show kernel threads.
n	Show the process name instead of `/proc/<pid>/cmdline`
t	Show information about the process threads.

Example

fw ctl affinity -l -x -vsid 1 -flags tn

Output

---------------------------------------------------------------

|PID     |VSID |         CPU              |SRC|V|KT |EXC| NAME

---------------------------------------------------------------

|   4756 |   0 |                      all |   | |   |   | pm

|   4773 |   0 |                      all |   | |   |   | confd

|   4774 |   0 |                      all |   | |   |   | searchd

|   5008 |   0 |                      all |   | |   |   | |---searchd

|   4780 |   0 |                      all |   | |   |   | httpd2

|   4781 |   0 |                      all |   | |   |   | monitord

|  24700 |   0 |                      0 1 | P | |   |   | |---cpd

|  24704 |   0 |                      0 1 | P | |   |   | |---cpd

|  24705 |   0 |                      0 1 | P | |   |   | |---cpd

|  22800 |   0 |                      all |   | |   |   | mpdaemon

|  24523 |   0 |                      all |   | |   |   | fwk_forker

|  24525 |   0 |                      all |   | |   |   | fwk_wd

|  24573 |   0 |                  1 3 4 6 | P | |   |   | fw

|  24667 |   0 |                  1 3 4 6 | P | |   |   | |---fw

|  24668 |   0 |                  1 3 4 6 | P | |   |   | |---fw

|  24670 |   0 |                  1 3 4 6 | P | |   |   | |---fw

|  24671 |   0 |                  1 3 4 6 | P | |   |   | |---fw

|  25412 |   0 |                  1 3 4 6 | P | |   |   | |---fw

|  24642 |   0 |              2 3 4 5 6 7 | P | |   |   | fwk0_dev

|  24643 |   0 |              2 3 4 5 6 7 | P | |   |   | |---fwk0_0

|  30186 |   0 |                      all |   | |   |   | clishd

----------------------------------------------------------------

Showing Affinity Configurations

Show the configured affinities of the Virtual System.

Syntax

fw ctl affinity -l

Example

fw ctl affinity -l

Output

VS_0 cpd: CPU 0 2

VS_0 FWK_INSTANCE_0: CPU 3 7

VS_0 FWK_INSTANCE_4: CPU 3 7

VS_0 fwd: CPU 3 7

VS_0 fwk: CPU 0 1

VS_1: CPU 2 4 6

VS_1 fwd: CPU 4 5

VS_1 fwk: CPU 2 3 4 5 6 7

VSX Commands

This section describes the vsx commands.

Note - fw6 vsx commands are not supported.

vsx fetch

Description

Fetches the most current configuration files from the Main Domain Management Server, and applies it to the VSX Gateway.

Syntax

vsx fetch [-v] [-q] [-s] local

vsx fetch [-v | -q| -s] [-f conf_file]

vsx fetch [-v | -q] -C "command"

vsx fetch [-v | -q| -c| -n| -s] [management]

Parameters

Parameter	Description
-c	Cluster mode
-n	Do not run `local.vsall` if VSX configuration, as fetched from management server, is up-to-date.
-s	Concurrent fetches for multi-processor environment.
-q	Quiet mode - Only summary lines appear.
-v	Verbose mode - Detailed information appears.
-f conf_file	Fetches NCS commands configuration file instead of the default `local.vsall`.
local	Reads `local.vsall` configuration file from `$FWDIR/state/local/vsx` and executes the NCS
management	Fetches `local.vsall` from management, replaces and runs it.
-C command	Execute NCS command

Return Value

0 (zero) indicates that the command executed successfully. Any other response indicates an error.

Output

fw vsx fetch

Fetching VSX Configuration From: 10.18.99.101

 Local VSX Configuration is Up-To-Date.

 Cleaning un-used Virtual Systems entries (local.vskeep).

 Purge operation succeeded.

 Fetching Virtual Systems configuration file (local.vsall).

SecureXL device has been enabled for vsid 1

SecureXL device has been enabled for vsid 2

SecureXL device has been enabled for vsid 3

Virtual Systems configuration file installed successfully

vsx fetchvs

Description

Retrieves a specific Virtual System configuration file based on information stored locally on the gateway.

Syntax

vsx fetchvs [-v | -q] [<vs name> | <vs ID>]

Parameters

Parameter	Description
-q	Quiet output. Only summary information appears.
-v	Verbose output. Detailed information appears.
`<vs name>`\| <vs ID>	Enter the Virtual System name or ID.

Return Value

0 (zero) indicates that the command executed successfully. Any other response indicates an error.

Example

fw vsx fetchvs California

Output

fw vsx fetchvs 2

SecureXL device has been enabled for vsid 2

vsx stat

Description

Displays VSX status information.

Syntax

vsx stat [-v] [-l] [<vsid>]

Parameters

Parameter	Description
`-v`	Displays detailed (verbose) information.
-l	Displays a detailed list of all virtual devices.
<vsid>	Displays statistics for the specified Virtual System

Output

VSX Gateway Status

==================

Name: MyGateway
Security Policy: MyGateway_VSX
Installed at: 10Dec2007 10:31:25
SIC Status: Trust

Number of Virtual Systems allowed by license:100

Virtual Systems [active/configured]: 2/2

Virtual Routers and Switches [active/configured]:1/1

Total connections [current/limit} 4/46000

virtual devices Status
======================

ID | Type & Name | Security Policy | Installed at | SIC

-----+-------------+-----------------+----------------+------

1 | W VSW_1 |<Not Applicable> | | Trust

2 | S VS1 |Standard | 10Apr2005 10:31| Trust

3 | S VSs2 |Standard | 10Apr2005 10:31| Trust

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch,

? - Information unavailable.

Output for a specific Virtual System

[Expert@sun:51]# vsx stat -l 51

VSID: 51

VRID: 51

Type: Virtual System

Name: sun_mem_vs49

Security Policy: TDCH-FW08.OPA

Installed at: 29Jul2009 12:37:58

SIC Status: Trust

Connections number: 0

Connections peak: 0

Connections limit: 15000

vsx sic reset

Description	Resets SIC for the Virtual System. Run `vsenv <vsid>` to change context and show an interface list for a different Virtual System.
Syntax	`vsx sic reset`

Example

vsenv 1

vsx sic reset

Output

resetting SIC for VSID 1

Note - On the management server, use the cpca_client revoke_cert command to cancel the old certificate. In SmartDashboard, open the Virtual System object for editing. Click OK. This action creates a new certificate, and transfers the certificate to the gateway.

Link Aggregation CLI Commands

cphaconf show_bond

Displays the status of an interface bond, or with the -a argument, a summary table of all bonds. When a bond is specified information for each slave interface is also displayed.

Syntax

cphaconf show_bond {<bond-name>|-a}

Example

[Expert@GW-1]# cphaconf show_bond bond0

Bond name:       bond0

Bond mode:       Load Sharing

Bond status:     Up

Balancing mode:  802.3ad Layer3+4 Load Balancing

Configured slave interfaces: 4

In use slave interfaces:     4

Required slave interfaces:   2

Slave Name       | Status          | Link

--------------------------------------------

eth2             | Active          | Yes

eth3             | Active          | Yes

eth4             | Active          | Yes

eth5             | Active          | Yes

Report Results

Required slave interfaces.
The Status column can contain these values:
- Down (Load Sharing mode only) - the physical link is down.
- Active - currently handling traffic.
- Standby (High Availability mode only) - the interface is ready, and can support internal bond failover.
- Not Available (High Availability mode only) - either the physical link is broken, or that the Cluster member is in status down. The bond cannot failover in this state.
The Link column reports whether the physical link exists.

chpaconf failover_bond

Initiates bond interface failover in the High Availability mode.

Syntax

cphaconf failover_bond <bond-name>

cphaprob -a if

Displays the status of all interface bonds and VLANs for all the Virtual Systems. For a High Availability bond, specifies whether it can failover.

Syntax

cphaprob -a if

Example

# cphaprob -a if

vsid 0:

------

Required interfaces: 1

Required secured interfaces: 0

bond1      Inbound: UP                  Outbound: DOWN (127 secs)     non sync(non secured), broadcast, bond High Availability

eth0       UP                    non sync(non secured), multicast

eth1       DOWN (127 secs)       sync(secured), broadcast

Virtual cluster interfaces: 1

eth0            172.16.6.115

vsid 2:

------

Required interfaces: 0

Required secured interfaces: 0

eth1       DOWN (38.6 secs)      sync(secured), broadcast

eth3       Inbound: UP                  Outbound: DOWN (38.6 secs)    non sync(non secured), multicast

Virtual cluster interfaces: 1

eth3            10.0.0.10

vsx_util Command

Description

Performs various VSX maintenance tasks. You run this command from the expert mode on the management server (Security Management Server or a Main Domain Management Server in a Multi-Domain Security Management environment).

Syntax

vsx_util <sub-command> [parameters]

Parameters

Parameter	Description
-s <management IP>	Perform action using the specified management IP
-u <user name>	Perform the action using the specified administrator
-c <cluster or gateway name>	Perform the action on the specified cluster or VSX Gateway
-m <member name>	Perform the action on the specified member
-h	Display help text

Comments

Note - You must close SmartDashboard before executing the vsx_util command if any Virtual Systems are defined on the Security Management Server or Multi-Domain Security Management Domain Management Server. Failure to do so may result in a database locked error.

The vsx_util command typically requires you to enter the following information before executing the command:

Management server name or IP address
User name and password
The command may ask for the name of one or more VSX objects upon which the command operates
Most vsx_util sub-commands are interactive and require additional user input. Brief descriptions of additional input requirements appear in the Input section for the various sub-commands. The instructions on the screen typically provide helpful information regarding required information.

add_member

Description	Adds a new member to an existing VSX cluster.
Syntax	`vsx_util add_member`
Input	VSX cluster object name New member name IP for [interface]: IP address assigned to specified interface (IP address is required for management and sync network interfaces)
Comments	Run the command and follow the instructions on the screen. When the command finishes executing, you must also Run the vsx_util add_member_reconf command. See Adding a New Member before using this command.

Description

Adds a new member to an existing VSX cluster.

Syntax

vsx_util add_member

Input

VSX cluster object name
New member name
IP for [interface]: IP address assigned to specified interface (IP address is required for management and sync network interfaces)

Comments

Run the command and follow the instructions on the screen. When the command finishes executing, you must also Run the vsx_util add_member_reconf command.

See Adding a New Member before using this command.

add_member_reconf

Description	Restores VSX configuration after adding a cluster member
Syntax	`vsx_util add_member_reconf`
Input	VSX member object name: VSX cluster member name Activation Key: SIC activation key assigned to the Security Management Server or main Domain Management Server Retype Activation Key: Retype to confirm the SIC activation key
Comments	Execute the command and follow the instructions on the screen. Reboot the member after the command script finishes. Review the procedure for defining a new member before using this command.

change_interfaces


Description		Automatically replaces designated existing interfaces with new interfaces on all virtual devices to which the existing interfaces connect. This command is useful when converting a deployment to use Link Aggregation, especially where VLANs connect to many virtual devices.
Syntax		`vsx_util change_interfaces`
Comments		This command is interactive. Follow the instructions on the screen. This command supports the resume feature. You can use this command to migrate a VSX deployment from an Open Server to a Check Point appliance by using the Management Only mode. Refer to the notes for additional information.
	Important - You must close SmartDashboard for all Multi-Domain Security Management Domain Management Servers using the affected interfaces prior to running this command.

Using vsx_util change_interfaces

To change interfaces:

Close SmartDashboard for the Security Management Server and/or Multi-Domain Security Management Domain Management Servers.
On the management server, enter the Expert Mode and run the vsx_util change_interfaces command.
Enter the Security Management Server or Multi-Domain Security Management main Domain Management Server IP address.
Enter the administrator name and password as requested.
Enter the VSX cluster object name.
When prompted, select one of the following options:
- Apply changes to management and Security Gateway / cluster members: Changes the on the management server, the VSX Security Gateway and cluster members.
- Apply changes to management Only: Changes interface on the management server only. You must use the vsx_util reconfigure command to push the updated configuration to VSX Gateways or cluster members.
When prompted, select the interface to be replaced.
When prompted, select the replacement interface.
1. You can optionally add a new interface by selecting "Enter new interface name". This interface must physically exist on the VSX Gateway or cluster members or the operation will fail.
2. At the prompt, enter the new interface name. If the new interface is a bond, the interface name must match the bond name exactly (bond names are case sensitive).
To replace additional interfaces, enter "y" when prompted and repeat steps 6 through 8.
To complete the process, enter "n".
If you selected the Apply changes to management only option, run the vsx_util reconfigure command to push the updated configuration to the VSX Gateways or cluster members.
Reboot the VSX Gateway and/or cluster members as appropriate.

Notes

The Apply changes to management and gateway / cluster members option verifies connectivity between the management server and the VSX Gateway or cluster members. In the event of a connectivity failure one of the following actions occur:
1. If all of the newly changed interfaces fail to establish connectivity, the process terminates unsuccessfully.
2. If one or more interfaces successfully establish connectivity, while one or more other interfaces fail, you may optionally continue the process. In this case those interfaces for which connectivity was established successfully will be changed. For those interfaces that failed, you must then resolve the issue and then run the vsx_util reconfigure command to complete the process.
If you select the Apply changes to management Only option, you can select another interface from list (if any are available) or select the option to add a new interface.

change_mgmt_ip

Description	Changes gateway or cluster member management IP address
Syntax	`vsx_util change_mgmt_ip`
Input	VSX Gateway / member object name New management IP address
Comments	We recommend that you back up the management database before using this command. Execute the command and follow the instructions on the screen.

change_mgmt_private_net

Description	Changes the cluster internal communication network IP address
Syntax	`vsx_util change_private_net`
Input	VSX cluster object name New cluster private network: New IP address for the cluster private network
Comments	We recommend that you back up the management database before using this command. The private network IP address must be unique and not used anywhere behind the VSX Gateway, cluster or Virtual Systems. The new cluster private network must conform to the net mask 255.255.252.0. Execute the command and follow the instructions on the screen.

change_interfaces


Description		Automatically replaces designated existing interfaces with new interfaces on all virtual devices to which the existing interfaces connect. This command is useful when converting a deployment to use Link Aggregation, especially where VLANs connect to many virtual devices.
Syntax		`vsx_util change_interfaces`
Comments		This command is interactive. Follow the instructions on the screen. This command supports the resume feature. You can use this command to migrate a VSX deployment from an Open Server to a Check Point appliance by using the Management Only mode. Refer to the notes for additional information.
	Important - You must close SmartDashboard for all Multi-Domain Security Management Domain Management Servers using the affected interfaces prior to running this command.

Using vsx_util change_interfaces

To change interfaces:

Close SmartDashboard for the Security Management Server and/or Multi-Domain Security Management Domain Management Servers.
On the management server, enter the Expert Mode and run the vsx_util change_interfaces command.
Enter the Security Management Server or Multi-Domain Security Management main Domain Management Server IP address.
Enter the administrator name and password as requested.
Enter the VSX cluster object name.
When prompted, select one of the following options:
- Apply changes to management and Security Gateway / cluster members: Changes the on the management server, the VSX Security Gateway and cluster members.
- Apply changes to management Only: Changes interface on the management server only. You must use the vsx_util reconfigure command to push the updated configuration to VSX Gateways or cluster members.
When prompted, select the interface to be replaced.
When prompted, select the replacement interface.
1. You can optionally add a new interface by selecting "Enter new interface name". This interface must physically exist on the VSX Gateway or cluster members or the operation will fail.
2. At the prompt, enter the new interface name. If the new interface is a bond, the interface name must match the bond name exactly (bond names are case sensitive).
To replace additional interfaces, enter "y" when prompted and repeat steps 6 through 8.
To complete the process, enter "n".
If you selected the Apply changes to management only option, run the vsx_util reconfigure command to push the updated configuration to the VSX Gateways or cluster members.
Reboot the VSX Gateway and/or cluster members as appropriate.

Notes

The Apply changes to management and gateway / cluster members option verifies connectivity between the management server and the VSX Gateway or cluster members. In the event of a connectivity failure one of the following actions occur:
1. If all of the newly changed interfaces fail to establish connectivity, the process terminates unsuccessfully.
2. If one or more interfaces successfully establish connectivity, while one or more other interfaces fail, you may optionally continue the process. In this case those interfaces for which connectivity was established successfully will be changed. For those interfaces that failed, you must then resolve the issue and then run the vsx_util reconfigure command to complete the process.
If you select the Apply changes to management Only option, you can select another interface from list (if any are available) or select the option to add a new interface.

change_mgmt_subnet

Description	Change the gateway or member management subnet
Syntax	`vsx_util change_mgmt_subnet`
Input	VSX Gateway / member object name New subnet mask
Comments	Backup the management database before using this command Only automatically generated routes are changed by the command script. You must remove and/or change all manually created routes using the previous management subnet. To perform this action, execute the command and follow the instructions on the screen. Reboot the VSX Gateway or cluster members after the command script finishes.

Description

Change the gateway or member management subnet

Syntax

vsx_util change_mgmt_subnet

Input

VSX Gateway / member object name
New subnet mask

Comments

Backup the management database before using this command
Only automatically generated routes are changed by the command script. You must remove and/or change all manually created routes using the previous management subnet.

To perform this action, execute the command and follow the instructions on the screen. Reboot the VSX Gateway or cluster members after the command script finishes.

convert_cluster

Description	Converts the cluster type from High Availability to VSLS or from VSLS to High Availability
Syntax	`vsx_util convert_cluster`
Input	VSX cluster object name ClusterXL mode: HA for High Availability or LS for Virtual System Load Sharing
Comments	Backup the management database before using this command. To perform this action, execute the command and follow the instructions on the screen. When switching to High Availability, all Virtual Systems are active on the same member by default. Peer Virtual Systems are standby on other members. When converting to VSLS, all members must be in the Per Virtual System state.

Description

Converts the cluster type from High Availability to VSLS or from VSLS to High Availability

Syntax

vsx_util convert_cluster

Input

VSX cluster object name

ClusterXL mode: HA for High Availability or LS for Virtual System Load Sharing

Comments

Backup the management database before using this command.

To perform this action, execute the command and follow the instructions on the screen.

When switching to High Availability, all Virtual Systems are active on the same member by default. Peer Virtual Systems are standby on other members.

When converting to VSLS, all members must be in the Per Virtual System state.

reconfigure

	Restores a VSX configuration to a newly installed gateway or cluster member
Syntax	vsx_util reconfigure
Input	VSX cluster member name SIC activation key assigned to the Security Management Server or Domain Management Server Retype to confirm the SIC activation key
Comments	For more about how to use the vsx_util reconfigure command, go to sk97552. This command is also useful for restoring a gateway or cluster member after a system failure. Execute the command and follow the instructions on the screen. A new gateway or cluster member must have the same hardware specifications and configuration as its replacement and other cluster members. Most importantly, it must have the same number of interfaces (or more) and the same management IP address. The new or replacement machine must be a new installation. You cannot use a machine with a previous VSX configuration.

remove_member

Description	Removes a member from an existing cluster
Syntax	vsx_util remove_member
Comments	Backup the management database before using this command Make certain that you remove member license before executing this command Execute the command and follow the instructions on the screen

Description

Removes a member from an existing cluster

Syntax

vsx_util remove_member

Comments

Backup the management database before using this command

Make certain that you remove member license before executing this command

Execute the command and follow the instructions on the screen

show_interfaces

Description

Displays selected interface information in a VSX deployment. Provides information regarding interface types, connections to virtual devices, and IP addresses. The output appears on the screen and is also saved to the interfacesconfig.csv file.

Syntax

vsx_util show_interfaces

Parameters

Option	Description
1) All Interfaces	Show all interfaces (physical and Warp)
2) All Physical Interfaces	Show Physical interfaces only
3) All Warp Interfaces	Show Warp interfaces only
4) A Specific Interface	Enter the interface name when prompted to a specific interface.

Note - You cannot specify a VLAN tag as a parameter for the Specific Interface option. You can, however, specify an interface used as a VLAN (without the tag suffix) to view all tags associated with that interface. This is illustrated in the sample output below.

Sample Output

Which interface would you like to display?

  1)    All Interfaces

  2)    All Physical Interfaces

  3)    All Warp Interfaces

  4)    A Specific Interface

Enter your choice: 4

Enter Interface Name:eth1

+-------------------+---------------------+----+---------------+---------------+

|Type & Interface   | virtual device Name |VSID|  IP Address   |    Netmask    |

+-------------------+---------------------+----+---------------+---------------+

|V eth1.11          |vs1                  |2   |10.1.1.11      |255.255.255.0  |

+-------------------+---------------------+----+---------------+---------------+

|V eth1.44          |vs4                  |6   |10.4.4.44      |255.255.255.0  |

+-------------------+---------------------+----+---------------+---------------+

|V eth1.22          |vs2                  |3   |10.2.2.22      |255.255.255.0  |

+-------------------+---------------------+----+---------------+---------------+

|V eth1.33          |vs3                  |4   |10.3.3.33      |255.255.255.0  |

+-------------------+---------------------+----+---------------+---------------+

|V eth1.55          |vs5                  |5   |10.5.5.55      |255.255.255.0  |

+-------------------+---------------------+----+---------------+---------------+

Type:   M - Management Interface       S - Synchronization Interface

        V - VLAN Interface             W - Warp Interface

        U - Used Interface             A - Available Interface

        X - Unknown Interface          E - Error in Interface Properties

Upgrade

Description

Upgrades Gateways and/or cluster members to newer versions

Syntax

vsx_util upgrade

Comments

This command updates all VSX objects in the management database to the designated newer version.

Backs up the management server.

Execute the command and follow the instructions on the screen.

After the command script finishes, execute the vsx_util reconfigure command.

view_vs_conf

Description	Displays virtual device configuration and status, including troubleshooting information. This command also compares the management server database with the actual VSX Gateways and cluster member configurations.
Syntax	vsx_util view_vs_conf

Output

Interfaces configuration table:

+-------------------------+--------------+-----------------------------+

|Interfaces               |Mgmt |VSX GW  |                             |

+----------+--------------+--------------+---------+---------+---------+

|Name      |Address       |Mask          | Member1 | Member2 | Member3 |

+----------+--------------+--------------+---------+---------+---------+

|eth1.51   |20.10.10.1    |255.255.255.0 |    V    |    V    |    V    |

|wrp128    |172.23.50.181 |255.255.255.0 |    V    |    V    |    V    |

+----------+--------------+--------------+---------+---------+---------+

Interfaces Table Legend:

V: Interface exists on the gateway and matches management information

-	 - Interface does not exist on the gateway.

N/A	- Fetching virtual device configuration from the gateway failed.

!IP  - Interface exists on the gateway, but there is an IP address mismatch.

!MASK - Interface exists on the gateway, but there is a net mask mismatch.

Routing table:

+----------------------------------------------------+----+-------------+

|Routes                                              |Mgmt|VSX GW(s)    |

+------------+--------------+-------------+----------+----+------+------+

|Destination |Mask          |Gateway      |Interface |    |Member|Member|

+------------+--------------+-------------+----------+----+------+------+

|172.23.50.0 |255.255.255.0 |             |wrp128    |  V |  V   |  V   |

|20.10.10.0  |255.255.255.0 |             |eth1.51   |  V |  V   |  V   |

|20.30.30.0  |255.255.255.0 |172.23.50.82 |          |  V |  V   |  V   |

+-----------------+-------------------+------------------+--------------+-----+--------+---------+

+-------------------------------------------------------+-----+---------+

|Routes                                                 |Mgmt |VSX GW(s)|

+---------------+--------------+-------------+----------+-----+---------+

|Destination    |Mask          |Gateway      |Interface |     |Member3  |

+---------------+--------------+-------------+----------+-----+---------+

|172.23.50.0    |255.255.255.0 |             |wrp128    |  V  |    V    |

|20.10.10.0     |255.255.255.0 |             |eth1.51   |  V  |    V    |

|20.30.30.0     |255.255.255.0 |172.23.50.82 |          |  V  |    V    |

+---------------+--------------+-------------+----------+-----+---------+

Routing Table Legend:

V   - Route exists on the gateway and matches management information.

-   - Route does not exist on the gateway.

N/A  - Fetching virtual device configuration from the gateway failed.

!NH  - Route exists on the gateway, but there is a Next Hop mismatch.

Description Display VSLS load sharing configuration and status

Usage vsx_util vsls

Output

Sample output:

vsx_util vsls

Enter SmartCenter Server/main Domain Management Server IP address (Hit 'ENTER' for 'localhost'):

Enter Administrator Name:

Enter Administrator Password:

Enter ClusterXL Load Sharing cluster object name:

VSID| VS name | m5        | m6        | m7        | Weight |

----+---------+-----------+-----------+-----------+--------+

 10 | vs1     | 0         | 1         | 2         | 10     |

 11 | vs2     | 2         | 0         | 1         | 10     |

 12 | vs3     | 1         | 2         | 0         | 10     |

 13 | vs4     | 0         | 2         | 1         | 10     |

 15 | vs5     | 1         | 0         | 2         | 10     |

 20 | vs6     | 2         | 1         | 0         | 10     |

----+---------+-----------+-----------+-----------+--------+

 Total weight | 20        | 20        | 20        | 60     |

----+---------+-----------+-----------+-----------+--------+

Legend:

0 - Highest priority

1 - Next priority

2 - Lowest priority

vsls

Description	Displays the Virtual System Load Sharing Menu, which allows you to perform a variety of configuration tasks for Load Sharing deployments. You perform configuration tasks interactively by following the instructions on the screen.
Syntax	vsx_util vsls
Output	VS Load Sharing - Menu ________________________________ 1. Display current VS Load sharing configuration 2. Distribute all Virtual Systems so that each cluster member is equally loaded 3. Set all VSs active on one member 4. Manually set priority and weight 5. Import configuration from a file 6. Export configuration to a file 7. Exit Enter redistribution option (1-7) [1]
Comments	This command is interactive. Select the desired menu option and follow the instructions on the screen.

You use the vsx_util vsls command to perform various Virtual System Load Sharing configuration tasks, including:

Displaying the current VSLS configuration
Distributing Virtual Systems equally amongst cluster members
Set all Virtual Systems as active on one member
Manually define the priority and weight for individual Virtual Systems
Import VSLS configurations from comma separated value (CSV) text files
Export VSLS configurations to comma separated value (CSV) text files
Exporting and Import VSLS configurations from/to comma separated value (CSV) text files

To work with the vsx_util vsls command:

Run vsx_util vsls from the Expert mode on the management server
Select the desired choice from the VSLS menu

The cphaprob Command

You use the cphaprob command to verify cluster functionality and to debug cluster related problems. This section provides a brief overview of the cphaprob command and its command options. For complete documentation and use cases, refer to the R76 ClusterXL Administration Guide.

A critical device is a process running on a cluster member that enables the member to notify other cluster members that it can no longer function as a member. The device reports to the ClusterXL mechanism regarding its current state or it may fail to report, in which case ClusterXL decides that a failure has occurred and another cluster member takes over. When a critical device (also known as a Problem Notification, or pnote) fails, the cluster member is considered to have failed.

There are a number of built-in critical devices, and the administrator can define additional critical devices. The default critical devices are:

Cluster interfaces on the cluster members.

Synchronization — full synchronization completed successfully.

Filter — the Security Policy, and whether it is loaded.

fwd — the VPN‑1 daemon.

You can include these commands in scripts for automatic execution.

To produce a usage printout for cphaprob that shows all the available commands, type cphaprob at the command line and press Enter. The following output appears:

cphaprob state

cphaprob [-a] [-vs vsid] if

The following commands are NOT applicable for 3rd party:

cphaprob -d <device> -t <timeout(sec)> -s <ok|init|problem> [-p] register

cphaprob -f <file> register

cphaprob -d <device> [-p] unregister

cphaprob -a unregister

cphaprob -d <device> -s <ok|init|problem> report

cphaprob [-i[a]] [-e] [-vs vsid] list

cphaprob -vs <vsid> register

cphaprob -vs <vsid> unregister

cphaprob igmp ................... IGMP membership status

cphaprob [-reset] [-a] ldstat ... Sync serialization statistics

cphaprob [-reset] [-a] syncstat . Sync transport layer statistics

cphaprob fcustat ................ Full connectivity upgrade statistics

cphaprob tablestat .............. Cluster tables

Command Options

The following table describes the available command options:

Parameter	Description
`[-vs vsid] stat`	View the status all cluster members or for a specific Virtual System. `-vs` is relevant only for VSLS.
`[-a] [-vs vsid] if`	View the state of the cluster member interfaces and the virtual cluster interfaces. `-vs` is relevant only for VSLS.
`[-i[a]] [-e] list`	View the list of critical devices on a cluster member, and of all the other machines in the cluster.
`-d <device> -t <timeout (sec) > -s <ok \| init \| problem> [-p] register`	Register <device> as a critical process, and add it to the list of devices that must be running for the cluster member to be considered active.
`-f <file> register`	Register all the user defined critical devices listed in `<file>`.
`-d <device> [-p] unregister`	Unregister a user defined `<device>` as a critical process. This means that this device is no longer considered critical.
`-a unregister`	Unregister all user defined devices
`-d <device> -s <ok \| init \| problem > report`	Report the status of a user defined critical device to ClusterXL.
`[-reset] ldstat -vs`	View sync serialization statistics. -vs is relevant only for VSLS.
`[-reset] syncstat -vs`	View sync transport layer statistics. -vs is relevant only for VSLS.
`tablestat`	Displays interfaces and IP addresses for each cluster member