Every Small Things Have Its OWN Significance : Nokia Backip thru CLISH

I think now a days am becoming lazy... Two days back I got a call from one of my colleague, he want to back up Nokia, ofcoz Answer was as simple as that.. Goto Voyager=>backup.. But not all the time... he don't have any access to voyager, and its a Severity 1 Call..

I thought of CLISH.. the command line of Nokia, which I skipped during my studies thinking that Voyager Gonna Help me for all..

Yes.. I found that Clish Can Do That..

BACKUP USING CLISH
==================

1.clish -c "set backup manual filename ipso-backup"

2.clish -c "set backup manual on"

3. check the back created in /var/backup/

BACKUP RESTORE
==============

To restore run the following command :
view sourceprint?1.clish -c "set restore manual /[path]/[filename].tgz


Moral Story
===========

Dont Leave anything thinking that better is available.. When you are in trouble small things gonna play the role.... Enuf for 2DAY..

Causes for a failover when using VRRP

-If using VRRP, the VRIDs are not the same for the same IP address

-The Hello Timers are not the same for the same VRID

The FireWall-1 Policy is blocking the VRRP packets

-An Access Control List on the Nokia platform is blocking the VRRP packets

-SNMP Get on Interfaces lists the wrong IP addresses, resulting in incorrect Policy

-Ethernet Switch not recognizing VRRP MAC address

-The interfaces are on different VLANs on the same switch

Usefull Nokia IPSO Commands

newimage -R -k -l ipso.tgz - install a new IPSO image

newpkg –i installs software from given location (firewall software, VPN accel driver, etc)


voyager –e 0 80 resets voyager after a failed ssl config attempt

dbpasswd admin -Changes the password from the command line

ipsofwd on admin -turns on ip forwarding when firewall is stopped

ipsofwd list -displays ipso properties (flowpath, etc)

ipsofwd slowpath -turns off flows (flowpath turns back on)

iclid -vrrp utility that shows status

- show vrrp -iclid command that shows # of interfaces and their respective states

- get vrrp -shows iclid stats: active interfaces/checksum/version/id

-show vrrp interface -displays interface stats for VRRP
boot –s {from > prompt at boot time) boots into single-user mode

Nokia IPSO has 2 shells, IPSO and Clish.

After logging in, you are in the IPSO shell. To enter the Clish shell, type "clish"

To remove old config:
Either rm /active/config or config/active depending on version.

Everything you need to know about troubleshooting VRRP on Nokia Checkpoints

VRRP failover happens when one of the following events takes place:

-a monitored interface looses its link state

-VRRP hello packets from the master not seen on the secondary device

-a critical Checkpoint service or daemon fails to report its status. This requires FW Monitoring to be turned on in Voyager. If turned on, whenever the clock is set backwards, a failover will also occur.

tcpdump -nni eth1 proto VRRP

The packets will contain the vrid and priority.

When a failure occurs, the failed device sends out a priority 0 message on all good interfaces. This tells the secondary to take over.

Example:

PrimaryHA-fw1[admin]# tcpdump -i eth-s1p1c0 proto vrrp

tcpdump: listening on eth-s4p2c0

00:46:11.379961 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 100 [tos 0xc0]

00:46:12.399982 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 100 [tos 0xc0]

00:46:13.479985 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 100 [tos 0xc0]

00:46:14.560007 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 0 [tos 0xc0]

If both firewalls are broadcasting vrrp, and the packets are not seen by the other firewall, there could be a communication problem between the firewalls.

Also ensure that the vrid matches on both firewalls.

Proper VRRP failovers usually only cause 1 or 2 packets lost .

VRRP multicast address is 224.0.0.18

To capture vrrp traffic in fw monitor:

fw monitor -e “accept ip_p = 112;”

Clish

show vrrp

This will show you which devices are in master and backup

Example:

PrimaryFW-A> sh vrrp

VRRP State

Flags: On

6 interface enabled

6 virtual routers configured

0 in Init state

0 in Backup state

6 in Master state

PrimaryFW-A>

PrimaryFW-A> exit

Bye.

PrimaryFW-A[admin]#

SecondaryFW-B[admin]# iclid

SecondaryFW-B> sh vrrp

VRRP State

Flags: On

6 interface enabled

6 virtual routers configured

0 in Init state

4 in Backup state

2 in Master state

SecondaryFW-B>

SecondaryFW-B> exit

show vrrp interfaces

Detailed configuration of VRRP, including priority, hello interval, and VRID

clish -c "show interfacemonitor"

Displays interface transitions

cphaprob -i list

Displays Checkpoint critical processes and their timeouts.

To log critical process failures:

ipsctl -w net:log:partner:status:debug 1

That will log to the console and to /var/log/messages. If you want to turn off:

ipsctl -w net:log:sink:console 0

To change the timeout value of a monitored process:

cphaprob -d [device] -t [timeout] -s [state] -p register

How do I change an IP address on a IPSO Nokia Firewall via clish ?

Below shows you the commands required to change the IP address of an interface within clish on a IPSO Nokia gateway,

1.add interface eth1c0 address IP [NEW IP]/[NETMASK]

2.delete interface eth1c0 address [OLD IP]

3.set interface eth1 speed 100M duplex full active on

4.set interface eth1c0 enable

Below gives you an example :

1.nokia-firewall[admin]# clish

2.NokiaIP390:102>add interface eth1c0 address IP 192.168.1.1/24

3.NokiaIP390:102>delete interface eth1c0 address 172.16.1.1

4.NokiaIP390:102>set interface eth1 speed 100M duplex full active on

5.NokiaIP390:102>set interface eth1c0 enable

How do I create an IPSO backup via clish ?

The following will show you how to save a full IPSO backup via the clish CLI. This will backup all of the operating system configuration such as routes, proxy arps, interface settings etc.

Backup

This will create a backup within the /var/backup/ directory called ipso-backup_[date].tgz

1.clish -c "set backup manual filename ipso-backup"

2.clish -c "set backup manual on"

Restore

To restore run the following command :

1.clish -c "set restore manual /[path]/[filename].tgz

Nokia IPSO Password Recovery

Boot the Nokia device into single user mode

To boot an IP440 into single user mode first restart the box.. When you see the "boot:" prompt enter "-s" and press "enter" within 10 seconds. When it boots into single user mode it will ask for the shell, just press "enter" to accept the default "sh."

To boot an IP500 or higher into single user mode, first restart the box. When you will see the prompt "Entering autoboot mode. Type any character to enter command mode." You have 5 seconds to press any key.

To boot at IP300 device into single user mode, first restart the box. When you see the prompt "Verifying DMI Pool Data" press the number 1. Then you will see a "Type any character to enter command mode." You now have 5 seconds to press any key. After pressing any key type "boot -s" to enter single user mode.

Change Password in IPSO 3.5 and Higher

Run "/etc/overpw" from the single user shell and follow the prompts to change the password. Type "reboot" to boot into multi-user mode, go into voyager and change to a permanent password.

Change Password in IPSO 3.4 and Lower

Run "/etc/overpw" from the single user shell. Type "reboot" to boot into multi-user mode. After the device starts up you can console into it and will not be prompted for an admin password. After you console in run " dbpasswd admin password "" " Where "password" is the new password you want and the "" specifies the old (blank) password. Run "dbset :save" Now use Voyager to set a permanent password