On 2/14/06, cisco4ng <[EMAIL PROTECTED]> wrote: > > > We've been a lot of problems lately with CMAs. Sometime they just stop > for no reasons. Other times we can not create database revision control > unless we have to stop/start the CMA. There are cases when we can not > even start the CMA from the MDG that we had to turn to the > mdsstop_customer/mdsstart_customer commands as the last resort. > > Whenever we open a Nokia TAC case, the first thing the Nokia Engineer > recommended that we upgrade the Provider-1 system to at least HFA_325 > so that it matches with the Enforcement Module. Even though they > have no documentation to prove this but I also think I've read somewhere > that the Management Server should have the same HFA or higher than > the Enforcement Module. Is that the correct statement? > > 2) Because we are currently running HFA_318 on our MDS system, I've > seen in MDS HFA_321 releases notes the following: > > "if more than 255 CMAs are defined, unable to start CMAs either by running > mdsstop/mdsstart or by individual starting the CMAs" > > With this statement, does checkpoint referred to 255 CMAs span across > the MDS Containers or on a single container? I know that there are issues > with Solaris 8 scaling past 255 Virtual IP address but that issue has been > resolved with Solaris 9. But my question remains the same, does > checkpoint > refer to 255 CMAs as on a single container or total number # of CMAs in my > Provider MDS domain system? > > I am in Network Operations so I have to trust what the Product Engineer > dude > told me that he had no problems when he tested 510 CMAs span across > four different MDS containers without issues. Frankly, I do not trust > this > guy. I think he is a complete idiot but he might think otherwise. Not > everyone is lucky to have a superstar like Rajeev Gupta or someone with > Rajeev's caliber and humility in their group. But that's another story > for another time. > > 3) We are looking at upgrading the MDS from HFA_318 to HFA_325, possibly > to HFA_327. We've made a lot of changes to the CMAs and we also have > a very poor tracking records of telling what changes were being made to > the CMAs. Obviously, we are going to do mds_backup on all of the MDS > managers and containers prior to the upgrade. Howerver, I have a few > doubts: > > When upgrading from HFA_318 to HFA_325/327, will we be able to retain > all the changes we made via either gui-dbedits or dbedits to the CMA? > Will HFA_325/327 overwrite some of the settings that we did with dbedits > earlier? > > Will the upgrade overwrite some of the changes to files in $FWDIR/lib > directory such as user.def and base.def? > > In the release notes, Checkpoint keeps saying that the upgrade will > overwrite any changes that were made to the INSPECT file by the customer. > Where is this file? in $FWDIR/conf? > > Checkpoint release notes never mentioned about rebooting the MDS > after applying the HFAs. Does it mean that reboot is NOT needed.
1) There are cases when we can not even start the CMA from the MDG that we had to turn to the mdsstop_customer/mdsstart_customer commands as the last resort. I'd mdsenv to the CMA and then start fwm up in debug mode to see why it won't start. These types of errors are pretty self explanatory when the CMA will not start consistently. 2) With this statement, does checkpoint referred to 255 CMAs span across the MDS Containers or on a single container? >From what I understand, this refers to 255 CMAs in one container, not across multiple containers. In FP3 especially, when you have that many CMAs starting at once, it requires large amounts of resources (disk/memory/etc). I have seen a few FP3 installations that have more than 255 across the board. 3) Will HFA_325/327 overwrite some of the settings that we did with dbedits earlier? I answered this in a previous post to the best of my knowledge, and since they were posted again I'll simply keep the answers together with the rest of your questions. With dbedit changes, the release notes say that changes will be altered. This is more of a CYA thing than anything else. It may or may not change configuration settings. If it does, then you can't say that you weren't warned. 4) Will the upgrade overwrite some of the changes to files in $FWDIR/lib directory such as user.def and base.def? User.def/base.def files shouldn't be overwritten right away, and in recent versions of P1, there is a script to change .def files over after an HFA install. 5) In the release notes, Checkpoint keeps saying that the upgrade will overwrite any changes that were made to the INSPECT file by the customer. Where is this file? in $FWDIR/conf? I downloaded the release notes for HFA_325 and I didn't see any mention of the "INSPECT" file. I would think that you're referring to the .def mods, but I don't know. Where did you see this? 6) Checkpoint release notes never mentioned about rebooting the MDS after applying the HFAs. Does it mean that reboot is NOT needed. Reboot generally wouldn't be needed, but it will obviously require a stop/start of the MDS. If you have other questions we can probably take this off the list as they'd probably highly specific to your situation. Jason ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
