vsx_util Command

Description

Performs various VSX maintenance tasks. You run this command from the expert mode on the management server (Security Management Server or a Main Domain Management Server in a Multi-Domain Security Management environment).

Syntax

vsx_util <sub-command> [parameters]

Parameters

Parameter	Description
-s <management IP>	Perform action using the specified management IP
-u <user name>	Perform the action using the specified administrator
-c <cluster or gateway name>	Perform the action on the specified cluster or VSX Gateway
-m <member name>	Perform the action on the specified member
-h	Display help text

Comments

Note - You must close SmartDashboard before executing the vsx_util command if any Virtual Systems are defined on the Security Management Server or Multi-Domain Security Management Domain Management Server. Failure to do so may result in a database locked error.

The vsx_util command typically requires you to enter the following information before executing the command:

Management server name or IP address
User name and password
The command may ask for the name of one or more VSX objects upon which the command operates
Most vsx_util sub-commands are interactive and require additional user input. Brief descriptions of additional input requirements appear in the Input section for the various sub-commands. The instructions on the screen typically provide helpful information regarding required information.

Included Topics

add_member

Description	Adds a new member to an existing VSX cluster.
Syntax	`vsx_util add_member`
Input	VSX cluster object name New member name IP for [interface]: IP address assigned to specified interface (IP address is required for management and sync network interfaces)
Comments	Run the command and follow the instructions on the screen. When the command finishes executing, you must also Run the vsx_util add_member_reconf command. See Adding a New Member before using this command.

Description

Adds a new member to an existing VSX cluster.

Syntax

vsx_util add_member

Input

VSX cluster object name
New member name
IP for [interface]: IP address assigned to specified interface (IP address is required for management and sync network interfaces)

Comments

Run the command and follow the instructions on the screen. When the command finishes executing, you must also Run the vsx_util add_member_reconf command.

See Adding a New Member before using this command.

add_member_reconf

Description	Restores VSX configuration after adding a cluster member
Syntax	`vsx_util add_member_reconf`
Input	VSX member object name: VSX cluster member name Activation Key: SIC activation key assigned to the Security Management Server or main Domain Management Server Retype Activation Key: Retype to confirm the SIC activation key
Comments	Execute the command and follow the instructions on the screen. Reboot the member after the command script finishes. Review the procedure for defining a new member before using this command.

change_interfaces


Description		Automatically replaces designated existing interfaces with new interfaces on all Virtual Devices to which the existing interfaces connect. This command is useful when converting a deployment to use Link Aggregation, especially where VLANs connect to many Virtual Devices.
Syntax		`vsx_util change_interfaces`
Comments		This command is interactive. Follow the instructions on the screen. This command supports the resume feature. You can use this command to migrate a VSX deployment from an Open Server to a Check Point appliance by using the Management Only mode. Refer to the notes for additional information.
	Important - You must close SmartDashboard for all Multi-Domain Security Management Domain Management Servers using the affected interfaces prior to running this command.

Using vsx_util change_interfaces

To change interfaces:

Close SmartDashboard for the Security Management Server and/or Multi-Domain Security Management Domain Management Servers.
On the management server, enter the Expert Mode.
Run vsx_util change_interfaces
Enter the IP address for the Security Management Server or Multi-Domain Security Management main Domain Management Server.
Enter the administrator name and password as requested.
Enter or select the VSX cluster or VSX Gateway object name.
When prompted, select one of the following options:
- Apply changes to management and Security Gateway/cluster members: Changes the on the management server, the VSX Security Gateway and cluster members.
- Apply changes to management Only: Changes interface on the management server only. You must use the vsx_util reconfigure command to push the updated configuration to VSX Gateways or cluster members.
Select the interface to be replaced.
Select the replacement interface.
1. You can optionally add a new interface by selecting "Enter new interface name". This interface must physically exist on the VSX Gateway or cluster members or the operation will fail.
2. At the prompt, enter the new interface name. If the new interface is a bond, the interface name must match the bond name exactly (bond names are case sensitive).
To replace additional interfaces, enter y when prompted and repeat steps 6 through 8.
To complete the process, enter n.
If you selected the Apply changes to management only option, you can remove the replaced interfaces from the database. Enter "y" for this option:
Would you like to remove the old interfaces from the database? (y|n) [n]:
Reboot the VSX Gateway and/or cluster members as appropriate.

Notes

The Apply changes to management and gateway / cluster members option verifies connectivity between the management server and the VSX Gateway or cluster members. In the event of a connectivity failure one of the following actions occur:
1. If all of the newly changed interfaces fail to establish connectivity, the process terminates unsuccessfully.
2. If one or more interfaces successfully establish connectivity, while one or more other interfaces fail, you may optionally continue the process. In this case those interfaces for which connectivity was established successfully will be changed. For those interfaces that failed, you must then resolve the issue and then run the vsx_util reconfigure command to complete the process.
If you select the Apply changes to management Only option, you can select another interface from list (if any are available) or select the option to add a new interface.

change_mgmt_ip

Description	Changes gateway or cluster member management IP address within the same subnet. See sk92425.
Syntax	`vsx_util change_mgmt_ip`
Input	VSX Gateway/member object name New management IP address
Comments	We recommend that you back up the management database before using this command. Execute the command and follow the instructions on the screen.

change_mgmt_subnet

Description	Change the gateway or member management IP address to a different subnet. See sk92425.
Syntax	`vsx_util change_mgmt_subnet`
Input	VSX Gateway/member object name New subnet mask
Comments	Backup the management database before using this command Only automatically generated routes are changed by the command script. You must remove and/or change all manually created routes using the previous management subnet. To perform this action, execute the command and follow the instructions on the screen. Reboot the VSX Gateway or cluster members after the command script finishes.

change_private_net

Description	Changes the cluster internal communication network IP address.
Syntax	`vsx_util change_private_net`
Input	VSX cluster object name New cluster private network: New IP address for the cluster private network
Comments	We recommend that you back up the management database before using this command. The private network IP address must be unique and not used anywhere behind the VSX Gateway, cluster or Virtual Systems. For an IPv4 cluster, the default cluster private network uses `255.255.252.0` for the netmask. You can change this value. For an IPv6 cluster, the new cluster private network must use `/80` for the netmask. Run the command and follow the instructions on the screen.

convert_cluster

Description	Converts the cluster type from High Availability to VSLS or from VSLS to High Availability
Syntax	`vsx_util convert_cluster`
Input	VSX cluster object name ClusterXL mode: HA for High Availability or LS for Virtual System Load Sharing
Comments	Backup the management database before using this command. To perform this action, execute the command and follow the instructions on the screen. When switching to High Availability, all Virtual Systems are active on the same member by default. Peer Virtual Systems are standby on other members. When converting to VSLS, all members must be in the Per Virtual System state.

Description

Converts the cluster type from High Availability to VSLS or from VSLS to High Availability

Syntax

vsx_util convert_cluster

Input

VSX cluster object name

ClusterXL mode: HA for High Availability or LS for Virtual System Load Sharing

Comments

Backup the management database before using this command.

To perform this action, execute the command and follow the instructions on the screen.

When switching to High Availability, all Virtual Systems are active on the same member by default. Peer Virtual Systems are standby on other members.

When converting to VSLS, all members must be in the Per Virtual System state.

reconfigure

Description	Restores a VSX configuration to a newly installed gateway or cluster member
Syntax	vsx_util reconfigure
Input	VSX cluster member name SIC activation key assigned to the Security Management Server or Domain Management Server Retype to confirm the SIC activation key
Comments	For more about how to use the `vsx_util reconfigure` command for VSX Gateway R77.10, R77.20 or R77.30, go to: sk97552: VSX Reconfigure and Upgrade Matrix to R77.10 / R77.20 / R77.30. This command is also useful for restoring a gateway or cluster member after a system failure. Execute the command and follow the instructions on the screen. A new gateway or cluster member must have the same hardware specifications and configuration as its replacement and other cluster members. Most importantly, it must have the same number of interfaces (or more) and the same management IP address. The new or replacement machine must be a new installation. You cannot use a machine with a previous VSX configuration. In addition, see sk100395: How to backup and restore VSX gateway.

remove_member

Description	Removes a member from an existing cluster
Syntax	vsx_util remove_member
Comments	Backup the management database before using this command Make certain that you remove member license before executing this command Execute the command and follow the instructions on the screen

Description

Removes a member from an existing cluster

Syntax

vsx_util remove_member

Comments

Backup the management database before using this command

Make certain that you remove member license before executing this command

Execute the command and follow the instructions on the screen

show_interfaces

Description

Displays selected interface information in a VSX deployment. Provides information regarding interface types, connections to Virtual Devices, and IP addresses. The output appears on the screen and is also saved to the interfacesconfig.csv file.

Syntax

vsx_util show_interfaces

Parameters

Option	Description
1) All Interfaces	Show all interfaces (physical and Warp)
2) All Physical Interfaces	Show Physical interfaces only
3) All Warp Interfaces	Show Warp interfaces only
4) A Specific Interface	Enter the interface name when prompted to a specific interface.

Note - You cannot specify a VLAN tag as a parameter for the Specific Interface option. You can, however, specify an interface used as a VLAN (without the tag suffix) to view all tags associated with that interface. This is illustrated in the sample output below.

Sample Output

Expert@mgmt95:0]# vsx_util show_interfaces

Enter Security Management Server/main Domain Management Server IP address
(Hit 'ENTER' for 'localhost'):

Enter Administrator Name: jon

Enter Administrator Password:

Select VSX Gateway/cluster object name:

1) vsx-cluster

2) vsx-cluster_2

3) vsx-gw

4) vsx-gw_2

Select: 1

Which interface would you like to display?

1) All Interfaces

2) All Physical Interfaces

3) All Warp Interfaces

4) A Specific Interface

Enter your choice: 1

+------------------------------------+----+--------------------------------------

|Type & Interface|Virtual Device Name|VSID| IP / Mask length

+----------------+-------------------+----+--------------------------------------

|M eth0 |vsx-cluster |0 |v4 172.16.16.98/24 v6 2001:0DB8::98/64

+----------------+-------------------+----+--------------------------------------

|S eth1 |vsx-cluster |0 |v4 10.0.0.0/24

+----------------+-------------------+----+--------------------------------------

|U eth2 |vs1 |1 |v4 192.0.2.2/24 v6 2001:0DB8:c::1/64

+----------------+-------------------+----+--------------------------------------

|U eth3 |vs1 |1 |v4 192.168.3.3/24 v6 2001:0DB8:b::1/64

+----------------+-------------------+----+--------------------------------------

|A eth4 | | |

+----------------+-------------------+----+--------------------------------------

|U eth5 |vs2 |2 |v4 10.10.10.10/24 v6 2001:0DB8:a::1/64

+----------------+-------------------+----+--------------------------------------

|A eth6 | | |

+----------------+-------------------+----+--------------------------------------

#Type: M - Management Interface S - Synchronization Interface

# V - VLAN Interface W - Warp Interface

# U - Used Interface A - Available Interface

# X - Unknown Interface E - Error in Interface Properties

upgrade

Description

Upgrades Gateways and/or cluster members to newer versions

Syntax

vsx_util upgrade

Comments

This command updates all VSX objects in the management database to the designated newer version.

Backs up the management server.

Execute the command and follow the instructions on the screen.

After the command script finishes, execute the vsx_util reconfigure command.

view_vs_conf

Description	Displays Virtual Device configuration and status, including troubleshooting information. This command also compares the management server database with the actual VSX Gateways and cluster member configurations.
Syntax	vsx_util view_vs_conf

Output

[Expert@mgmt95:0]# vsx_util view_vs_conf

Enter Security Management Server/main Domain Management Server IP address (
Hit 'ENTER' for 'localhost'):

Enter Administrator Name: jon

Enter Administrator Password:

Select VSX gateway/cluster object name:

1) vsx-cluster

2) vsx_cluster_2

3) vsx-gw

4) vsx-gw_2

Select: 1

Select Virtual Device object name:

1) vs1

2) vs2

3) vs3

4) vsx-cluster

Select: 1

Type: Virtual System

Interfaces configuration table:

+---------------------------------------------------+-----+-------------------+

|Interfaces |Mgmt |VSX GW(s) |

+----------+----------------------------------------+-----+---------+---------+

|Name | IP / Mask length | |mem96 |mem97 |

+----------+----------------------------------------+-----+---------+---------+

|eth2 |v4 10.0.0.0/24 v6 2001:db8::abc::1/64 | V | V | V |

|eth3 |v4 10.10.10.10/24 v6 2001:db8::3121/64 | V | V | V |

+----------+----------------------------------------+-----+---------+---------+

Interfaces Table Legend:

V - Interface exists on the gateway and matches management information
(if defined on the management).

- - Interface does not exist on the gateway.

N/A - Fetching Virtual Device configuration from the gateway failed.

!IP - Interface exists on the gateway, but there is an IP address mismatch.

!MASK - Interface exists on the gateway, but there is a Net Mask mismatch.

Routing table:

+----------------------------------------------------------+-----+-------------+

|Ipv4 Routes |Mgmt |VSX GW(s) |

+--------------------------+--------------------+----------+-----+------+------+

+--------------------------+--------------------+----------+-----+------+------+

|2.2.2.0/24 | |eth2 | V | V | V |

|3.3.3.0/24 | |eth3 | V | V | V |

+--------------------------+--------------------+----------+-----+------+------+

+----------------------------------------------------------+-----+-------------+

|Ipv6 Routes |Mgmt |VSX GW(s) |

+--------------------------+--------------------+----------+-----+------+------+

+--------------------------+--------------------+----------+-----+------+------+

|2001:db8::abc::/64 | |eth2 | V | !NH | !NH |

|2001:db8:0a::/64 | |eth3 | V | !NH | !NH |

+--------------------------+--------------------+----------+-----+------+------+

|2001:db8::1ffe:0:0:0/112 | |eth2 | - | V | V |

|2001:db8::fd9a:0:1:0/112 | |eth3 | - | V | V |

+--------------------------+--------------------+----------+-----+------+------+

Routing Table Legend:

V - Route exists on the gateway and matches management information
(if defined on the management).

- - Route does not exist on the gateway.

N/A - Fetching Virtual Device configuration from the gateway failed.

!NH - Route exists on the gateway, but there is a Next Hop mismatch.

Note: Routes can be created automatically on the gateways by the Operating
System.

Therefore, routes that appear on all gateways, but are not defined on the
management,do not necessarily indicate a problem.

vsls

Description	Displays the Virtual System Load Sharing Menu, which allows you to perform a variety of configuration tasks for Load Sharing deployments. You perform configuration tasks interactively by following the instructions on the screen.
Syntax	vsx_util vsls
Output	VS Load Sharing - Menu ________________________________ 1. Display current VS Load sharing configuration 2. Distribute all Virtual Systems so that each cluster member is equally loaded 3. Set all VSs active on one member 4. Manually set priority and weight 5. Import configuration from a file 6. Export configuration to a file 7. Exit Enter redistribution option (1-7) [1]
Comments	This command is interactive. Select the desired menu option and follow the instructions on the screen.

You use the vsx_util vsls command to perform various Virtual System Load Sharing configuration tasks, including:

Displaying the current VSLS configuration
Distributing Virtual Systems equally amongst cluster members
Set all Virtual Systems as active on one member
Manually define the priority and weight for individual Virtual Systems
Import VSLS configurations from comma separated value (CSV) text files
Export VSLS configurations to comma separated value (CSV) text files
Exporting and Import VSLS configurations from/to comma separated value (CSV) text files

To work with the vsx_util vsls command:

Run vsx_util vsls from the Expert mode on the management server
Select the desired choice from the VSLS menu