vsx_util reconfigure

Description

Restores VSX configuration on a VSX Gateway or VSX Cluster Member (for example, after you perform clean install after a system failure).

Syntax

vsx_util reconfigure

Important - Before you run the vsx_util commands:

  • Back up the VSX environment. See sk100395: How to backup and restore VSX gateway.

  • You must close all SmartConsole clients. Failure to do so may result in a database lock error.

  • On a Multi-Domain Security Management Server, you must switch to the context of the Main Domain Management Server that manages the VSX Gateway / VSX Cluster object.

    Use the command "mdsenv <IP Address or Name of Domain Management Server>".

Important - Before you run this command on the Management Server, you must configure specific settings on the cleanly installed VSX Gateway or VSX Cluster Member as they were:

  • IP address of Gaia management interface

  • Enable IPv6 support in Gaia

  • Configure the applicable interfaces (Bond, VLAN, and so on)

  • Configure kernel parameters and their values:

    • $FWDIR/boot/modules/fwkern.conf

    • $FWDIR/boot/modules/vpnkern.conf

    • $PPKDIR/conf/simkern.conf

  • Configure CoreXL:

    • Number of CoreXL Firewall instances (for IPv4 and IPv6) in the context of VS0 (run the cpconfig command and select the option Check Point CoreXL)

    • $FWDIR/conf/fwaffinity.conf

Required Input

  • The applicable VSX Gateway or VSX Cluster object.

  • The one-time Activation Key (SIC activation key).

Comments

  • Execute the command and follow the instructions on the screen.

  • The new VSX Gateway or VSX Cluster Member:

    • Must be a new installation.

      You cannot use a VSX Gateway or VSX Cluster Member with a previous VSX configuration.

    • Must have the same hardware specifications as the original.

      Most importantly, it must have at least the same number of interfaces.

    • Must have the same Gaia OS configuration as the original.

      Most importantly, it must have the same VSX Management IP address.

Limitations

The reconfigure process does not restore the local configuration that was performed on VSX Gateway or VSX Cluster Member itself (because this configuration is not stored on the Management Server).

Important - After the reconfigure process is complete and you rebooted VSX Gateway or VSX Cluster Member, you must manually configure these settings from scratch or from backed up files.

These settings and files are not restored during the reconfigure process and you must manually configure them again:

  • Any OS configuration (for example, DNS, NTP, DHCP, Dynamic Routing, DHCP Relay, and so on).

  • Backup files and Gaia snapshots saved in the past on the VSX Gateway or VSX Cluster Member.

  • Any settings manually defined in various configuration files on the VSX Gateway or VSX Cluster Member.

  • Any Check Point configuration files.

    Note - Some of these files do not exist by default. Some files are configured on each VSX Gateway and VSX Cluster Member, and some files are configured for each Virtual System.

    Note - Some of these files do not exist by default. Some files are configured on each VSX Gateway and VSX Cluster Member, and some files are configured for each Virtual System.

    • $FWDIR/boot/modules/fwkern.conf

    • $FWDIR/boot/modules/vpnkern.conf

    • $FWDIR/conf/fwaffinity.conf

    • $FWDIR/conf/fwauthd.conf

    • $FWDIR/conf/local.arp

    • $FWDIR/conf/discntd.if

    • $FWDIR/conf/cpha_bond_ls_config.conf

    • $FWDIR/conf/resctrl

    • $FWDIR/conf/vsaffinity_exception.conf

    • $FWDIR/database/qos_policy.C

    • simkern.conf

      • In R80.20 and higher: $PPKDIR/conf/simkern.conf

      • In R80.10 and lower: $PPKDIR/boot/modules/simkern.conf

    • sim_aff.conf

      • In R80.20 and higher: $PPKDIR/conf/sim_aff.conf

      • In R80.10 and lower: $PPKDIR/boot/modules/sim_aff.conf

    • /var/ace/sdconf.rec

    • /var/ace/sdopts.rec

    • /var/ace/sdstatus.12

    • /var/ace/securid

This example shows how the VSX configuration is restored on a VSX Cluster Member.

[Expert@MDS:0]# vsx_util reconfigure

******************************************************************************************
* Note: the operation you are about to perform changes the information in the management *
* database. Back up the database before continuing.                                      *
******************************************************************************************

Enter Security Management Server/main Domain Management Server IP address (Hit 'ENTER' for 'localhost'): 192.168.3.240
Enter Administrator Name: ******
Enter Administrator Password: ******
Select VSX gateway/cluster object name:
  1)    VSX_Cluster
Select: 1


Select VSX member name to reconfigure:
  1)    VSX1_192.168.3.241
  2)    VSX2_192.168.3.242
Select: 1
You are about to perform reconfigure on VSX gateway/cluster, please read sk97552.
Are you sure you want to continue [y/n]? y
Enter Activation Key:
Retype Activation Key:


 1/10 : Certificate Revocation              [#######################################] 100%   00:00:01
 2/10 : Certificate Replacement             [#######################################] 100%   00:00:06
 3/10 : Connectivity Check                  [#######################################] 100%   00:00:05
 4/10 : Fetching Configuration              [#######################################] 100%   00:00:02
 5/10 : Verifying Configuration             [#######################################] 100%   00:00:00
 6/10 : Installing policy on: VSX_Cluster   [#######################################] 100%   00:00:21
 7/10 : Converting Gateway to VSX           [#######################################] 100%   00:02:13
 8/10 : Generating Activation Keys          [#######################################] 100%   00:00:00
 9/10 : Reconfiguring                       [#######################################] 100%   00:00:03
10/10 : Pushing Configuration               [#######################################] 100%   00:00:44

Database saved successfully.

===================== SUMMARY =====================
---- Reconfigure gateway operation completed successfully

************************************************************
IMPORTANT:
   When you are managing a VSX cluster,
   make sure that the new reconfigured member has the same number of
   IPv4, and IPv6 firewall instances as the other VSX cluster members.
   Run cpconfig command to show and edit CoreXL settings.
NOTE:
   In case of adding a new cluster member to a VSX Cluster,
   while using 'ClusterXL Virtual System Load Sharing'
   make sure to run 'vsx_util vsls' after rebooting the
   gateway in order for the Virtual Systems to become active
   on the newly added VSX cluster member.

IMPORTANT: Please reboot the gateway

************************************************************

Logging details are available at /opt/CPmds-R81/customers/MyDomain_Server/CPsuite-R81/fw1/log/vsx_util_20190917_13_16.log

[Expert@MDS:0]#