cphaprob -d problem -s problem report  !! Performed on active firewall to failover
cphaprob -d problem unregister !! Unregister the problem

Notes:

  • The best place to perform a failover is within the policy. This is for temporary failover purposes. After removing the problem, if the configuration has not been updated, it is likely the firewalls will fail back.

[ # ]

chsh -s /bin/bash <username>

[ # ]

ethtool -s <interface> speed <speed ie 100> duplex <duplex> autoneg off  !! Modify interface speed

config conn set local <ip>/<cidr> name <interface>  !! IP an interface
config conn add type vlan local <ip>/<cdir> vlan-tag <vlan-tag> dev <physical-int-name>  !! Create sub-interface with vlan
config conn del name <vlan-int>  !! Delete sub-interface

!! Configure monitoring of interface for failover (add/delete required interfaces, 1 per line)
cpstop
vi $FWDIR/conf/discntd.if
cpstart

[ # ]

cphaprob stat  !! view failover status
cphaprob -a if  !! view interface VIP configuration

[ # ]

[admin]$ cplic print
Host    Expiration  Features
[ip]    [date]       CPMP-VFF-U-NGX CPVP-VSR-1000-NGX CPVP-VPS-1-NGX CK-asdfsadfsadf

!! Stored in $CPDIR/conf/cp.license
Sign {
LICENSE [ip] never CPMP-VFF-U-NGX CPVP-VSR-1000-NGX CPVP-VPS-1-NGX CK-asdfsadfsadf
}= [hash]

[ # ]

fwpolicy.exe /RB: <policy-name> connect <ip> <username>  !! SmartDashboard
CPlgv.exe connect <ip> <username>  !! SmartView Tracker
provider.exe connect <ip> <username>  !! Provider-1

Notes:

  • 'cd' into the application's directory first
  • This is for versions R55 - <R80

[ # ]

netstat -rn | grep instance    // Look for the 2 non "default" tables
netstat -rn | egrep \'instance|iCSU\'    // View PBR table
clish -s 'show aclrules'    // View ACLs
clish -s 'show acl'    // View interfaces ACLs are configured for

[ # ]

clish
  add pbr table <table_name>
  set pbr table <table_name> default route enable
  set pbr table <table_name> default nexthop gateway address <default_nexthop_ip>
  add acl <acl_name>
  set acl <acl_name> ininterface <ifname>
  set acl <acl_name> outinterface <ifname>
  add aclrule <acl_name> position 1
  set aclrule <acl_name> position 1 action pbr pbr_table <table_name> srcaddr <src_address_with_CIDR> destaddr <dst_address_with_CIDR> srcport 0-65535 destport 0-65535 protocol any tcp_estab no tos any dstfield none qspec none
  save config
  exit

Notes:

  • and can be anything you want
  • In ACL, use 0.0.0.0/0 for "any"

[ # ]

!! Change IP
clish -s -c "add interface <if name> address <new ip address>/<cidr>"
clish -s -c "delete interface <if name> address <old ip address>"

!! Remove logical interface
clish -s -c "delete interface <if name>"

!! Delete interface (Will disable VRRP monitoring)
clish -s -c "set interface <if name> disable"
clish -s -c "set interface <if name> logical-name <if name>"
clish -s -c "delete interface <if name> address <old ip address>"

!! Set interface speed
clish -s -c "set interface <physical-interface> speed 100M duplex full active on"

!! Create Interface with VRRP - Example
clish
  add interface eth-s1p2 vlanid 141 address 172.1.1.3/24 logical-name eth-s1p2c23 enable
  set vrrp interface eth-s1p2c23 monitored-circuit vrid 127 monitored-interface eth-s1p2c0 on
  set vrrp interface eth-s1p2c23 monitored-circuit vrid 127 hello-interval 1
  set vrrp interface eth-s1p2c23 monitored-circuit vrid 127 priority 90
  set vrrp interface eth-s1p2c23 monitored-circuit vrid 127 backup-address 172.1.1.1 on
  set vrrp interface eth-s1p2c23 monitored-circuit vrid 127 monitored-interface eth-s1p2c0 priority-delta 10
  set vrrp interface eth-s1p2c23 monitored-circuit vrid 127 monitored-interface eth-s1p1c0 on
  set vrrp interface eth-s1p2c23 monitored-circuit vrid 127 monitored-interface eth-s1p1c0 priority-delta 10
  save config
  exit

[ # ]

clish 
add user <username> uid <uid#> homedir /var/<username>
set user <username> shell /bin/csh
add rba user <username> role monitorRole
save config

Notes:

  • UID should be above 120. If you give a UID of 0, that will give the user read/write access
  • The 'RBA' line assigns the default readonly Voyager role, monitorRole, to the user. If the user does not need Voyager access, this can be ignored.

[ # ]