Command Line Tour

00:01

Now, I would like to show you some command line utilities

00:05

both on the orchestrator and on the single management object

00:10

that are helpful in

00:13

monitoring or maestro deployment.

00:16

But also troubleshooting your maestro deployment if you're having an issue

00:22

good to know specifically where the cause of that issue is,

00:28

uh,

00:29

using the old adage. When in doubt, rebooted out

00:35

on the, uh,

00:38

orchestrator, you can restart the orchestration service and this will be an outage.

00:48

It's sort of silently

00:50

restarts itself.

00:57

Another useful command is

01:00

this o r ch underscore info.

01:07

This

01:11

this command here is useful for collecting extensive diagnostic information about the orchestrator.

01:21

So it's

01:23

sort of like CP Dump

01:26

pulling information from multiple sources

01:30

and writing it too.

01:32

One archive file. Ah, gee, zipped tar file.

01:38

Some of this output is the result of the orchestrator

01:42

service not restarting correctly because of an issue in this demonstration environment.

01:55

A lot of files in there let's go through it one page at a time.

02:01

So long files

02:06

big files

02:07

and

02:10

counters.

02:17

Next,

02:30

this python script

02:31

will provide ah list of the interfaces and the status of those interfaces. Are they up? Are they down?

02:39

Have something plugged in to the interface port

02:44

or not,

02:46

I'm

02:47

running these commands an expert mode. So I have to provide my own pagination by piping it through the I use the less command.

02:58

So

02:59

this command will show you the status of your orchestrator ports.

03:02

And it needs to be run on the orchestrator. Of course not on Ah single management object.

03:19

Thea

03:22

Security Gateway modules

03:23

use the link Layer Discovery Protocol to inform the orchestrator

03:30

of their presence.

03:30

What? Ah, what

03:32

model they are

03:35

and

03:36

don't

03:37

default Name

03:38

for the appliance

03:40

and you can see what Linklater Discovery Protocol has discovered with this

03:46

l l d p

03:47

c t l one word command

03:51

again paginated.

04:03

I also want to point out config file.

04:12

This configuration file on the orchestrator contains

04:17

the configuration of all security groups that have been defined.

04:24

This same file is found in the single management object and the rest of the security gateways.

04:30

But

04:30

at that level it only contains information about that security group

04:34

and there are only two security group. Unless I only one security group that has been defined. So this information is very short

04:43

in production, there would be many, many more entries.

04:49

Next, Um, you can move between the orchestrator and single management objects.

04:57

And then

04:58

when you're in a single management object, you can move within the security gateway modules that are in

05:05

that security group

05:08

and the command can be abbreviated. Move.

05:11

So I'm gonna move to the first security group,

05:14

the first host, which would be by default, the

05:16

the host answering the single management object i p address.

05:21

And it uses secure shell

05:25

so you can set up

05:28

keys to do the authentication or

05:31

password authentication works.

05:33

Now I am

05:35

in

05:36

the single management object of my first and only security group,

05:44

and

05:45

here

06:13

you can see this same etcetera. SG db dot Jay's on file.

06:17

And

06:20

again, this is a very simple demonstration configuration.

06:25

If I had to find multiple security groups

06:28

at the orchestrator level,

06:30

this file in this security would only contain information about this security group. To see all of the security groups,

06:36

you have to look at

06:38

this file

06:39

on the orchestrator.

06:48

Next the A S G command.

06:51

This is useful to get information about the security group,

06:58

including

07:00

which

07:00

security gateway modules in the group are working. Which ones aren't who's active,

07:05

etcetera.

07:10

So the A s G monitor command

07:16

will

07:17

refresh by default every five seconds you can given interval

07:21

as a decimal number.

07:25

And

07:26

right now, the security group,

07:29

uh, it doesn't have policy installed on it

07:31

anymore. So it's showing that

07:34

policy date never happened.

07:39

Threat policy never happened. And we're in active attention mode

07:44

because

07:46

we're supposed to be a cluster

07:48

active inactive, but we don't have a policy.

07:53

Strand will run until you

07:57

accident. I use control. See,

08:03

with the minus V option, you get a little bit different information

08:07

for this next command a SG bug Verify.

08:11

I find it to be

08:13

they're useful.

08:15

This command runs several diagnostics

08:18

on the

08:20

orchestrator and on the

08:22

security group,

08:24

and it provides

08:26

concise summary of the results of each of those diagnostics.

08:31

See that some are failing that just for various read, such as I've not yet installed Policy

08:39

Security Group.

08:41

Also, my demo environment. It's having a bit too.

08:46

This command is typically followed by the A S G e bug list commit

08:52

or

08:52

for information.

08:56

The dxl

09:00

count command

09:01

is

09:01

useful for visualizing distribution modes

09:07

and

09:09

recall that

09:11

distribution modes determined

09:15

which

09:16

security gateway modules should handle the traffic for a given connection.

09:22

And

09:22

the default is general, where

09:26

both the source and destination I P address and by default

09:31

layer for ports are also

09:33

considered. So source

09:37

I P address and port Destination I P address and port

09:41

are all used in the algorithm to determine

09:43

which security Gateway module should handle the traffic for this connection.

09:50

Another option is user distribution mode, which uses the source port

09:56

and destination I P.

10:01

Or network distribution, which uses the

10:05

destination port and source. I P.

10:09

Well, look a little bit more

10:11

into the distribution modes coming up.

10:16

Another useful A SG command.

10:26

This shows you

10:28

key performance indicators.

10:31

Um, so note Ah, the load averages

10:35

that, um

10:37

are displayed for

10:39

both the cork cell cores and secure excel or, uh,

10:43

secure network

10:45

distributor course.

10:50

And this is ah, very small deployment with no policy, no traffic. So this isn't very interesting, but this command automatically updates

10:58

and is useful in a production system.

11:07

Next, Really quickly. I wanted to show the

11:13

diag list.

11:16

Your man

11:24

provides

11:26

all sorts of tests that can be done, so

11:30

you ah,

11:31

use a SG diag print and the test number and it will conduct that test. This is just a handy cheat sheet,

11:39

so you have to remember the numbers.

11:46

So SG

11:48

Diack, you man, is very useful for

11:50

running system diagnostics.

11:54

Earlier, we talked about distribution modes

11:58

distribution modes.

12:01

Set the algorithm, which determines which security gateway modules should handle. The traffic forgiven connection

12:09

does that by

12:11

Gina

12:11

either the source or destination i P address, depending on the mode chosen

12:16

and

12:18

source or destination. Port, depending on if later four

12:22

is enabled, is part of the

12:24

the decision process.

12:28

And so the default distribution mode is general,

12:31

which uses both the source and destination I P addresses

12:35

and source and destination ports for the decision.

12:41

There's also

12:43

user distribution mode.

12:45

It uses the

12:46

destination I P address and Source Port.

12:50

There's

12:52

the Network Distribution Road, which uses the source I P and the Destination port. And there's also a

12:58

a topology

13:00

auto topology mode, which uses the information from

13:05

the

13:07

Single Management Object

13:11

Security Gateway object that was created in smart dashboard

13:15

are so smart, consul with

13:18

with topology

13:20

indicating which interfaces or internal which interfaces are external, it uses that

13:26

so you can see the current distribution

13:31

and you need to be in global Klay Shell, which I was an expert. Modi exited out of that back into the global Klay show,

13:45

and right now the distribution mode is

13:48

general

13:50

and you can change that.

14:01

You can show

14:03

per interface basis.

14:11

Also see the status of the distribution mode.

14:22

Earlier, we talked a little bit about the correction layer on again. The job of the correction layer

14:28

is to handle nada traffic

14:31

because the distribution mode algorithm uses source and or destination I P source and our destination port.

14:39

Determine

14:41

this packet. Which security Gateway module should be handling the traffic for this connection.

14:46

And with Nat, you're changing either the source and or the destination I P address

14:54

and possibly source and or destination port.

14:58

So

14:58

the distribution mode algorithm will pick the wrong security gateway module.

15:05

The correction layer exists to forward the traffic

15:11

that was

15:11

tanned it off to this second security it way module

15:18

back to the original security gateway module, which was handling the Anat ID traffic.

15:22

So it sees all of the traffic, which is necessary with state full inspection,

15:33

can see some correction layer. Statistics

15:35

begin in this demonstration environment. There is really no traffic

15:39

and I certainly haven't turned on Nat. So the correction layer hasn't had to do anything so far,

15:48

so some best practices

15:52

It depends on the specific network mix of the deployment site.

15:58

Generally distribution mode

16:02

using both source and destination I P. Source and destination port will do the most granular distribution

16:08

of connections to the security gateway modules in the security group.

16:15

However, if you're using Nat, then too

16:19

simplify the job of the correction layer

16:25

any Heiden added. Networks set them to use user mode. So we're looking at the destination I P and Source Port

16:37

and

16:40

the destination networks. If, for instance, static Nat, you would use ah

16:45

network move

16:47

which uses the source. I pee in the destination port

16:51

in the distribution algorithm.

16:56

Teoh

16:56

the global Klay shell is very convenient in a

17:02

security group because configuration changes that you make

17:06

in global Klay shell are automatically propagated to the other security gateway modules

17:12

in the security group.

17:15

But in expert mode,

17:22

there are a number of

17:26

MANNLEIN global commands

17:29

begin with G underscore,

17:32

so one g underscore command that that's useful. G underscore update, com file

17:38

and So this man wants the path to convict file

17:42

and of articles. Value pair, though if you leave off the

17:47

value, it'll just remove that bar from the config file.

17:52

So

17:53

you obviously don't want to do this unless you

17:56

have a very good reason to be editing config file.

18:04

For example, this f w

18:07

Kern config file.

18:10

I'm going to change

18:12

the art forwarding setting

18:23

other than risk type owing it

18:26

copy paste.

18:34

You could see that

18:36

the values been changed in the conflict config file on this security gateway module.

18:44

You can ignore that

18:45

build system diagnostics

18:47

ground issue.

19:06

You can see that the values been changed here is Well, I'm gonna go ahead and put it back

19:23

and see that it's been changed on the second security gateway module

19:27

and the security group

19:30

going back to the first security gateway module.

19:33

You see, it's been changed back.

19:36

So

19:37

useful command. If you need to update some config file parameter

19:41

on all of the security gateway modules in your security group.

19:45

And you probably noticed that I

19:48

got to the second security get way module in the security from the first by typing M space to

19:55

so

19:56

this is sort of shorthand for move. Move from one security gateway module to another and within a security group. If you if you execute this on a security get way module. We moved other security gateway modules in that group,

20:08

and it uses secure shell over,

20:11

um,

20:12

back and network.

20:15

You can also move from the orchestrator too.

20:19

Specific security gateway module. In a security group, you specify the security group number first

20:26

and then the security gateway module number.

20:30

Another useful command is a global TCP dump command.

20:37

So

20:38

same syntax as TCP dump.

20:41

It will aggregate all of the

20:45

packet capture data

20:47

and ah,

20:48

they're useful or getting a large

20:52

out of packet capture data fairly quickly.

20:56

Probably one of his capture filters.

21:00

Generically, the G all command

21:04

will run whatever

21:07

command you give it as

21:11

an argument, it will run that on all of the security gateway modules.

21:15

So

21:21

come up with a command.

21:23

Possibly. Someday be useful.

21:27

Show me the tail end of this same config. File fw current dot com

21:33

and

21:33

only two lines in that file. That wasn't a hard thing for tail to do, but it ran it

21:40

on all of the security gateway modules in the security group and then showed

21:45

the output

21:47

I security Gateway module here.

21:51

If you have

21:52

a security group defined,

21:55

you automatically get

21:57

active backup clustering.

22:00

There will be one security gateway module that has designated act active

22:06

and then one

22:07

that is designated back up in the same security group.

22:11

So what? What happens with packets?

22:15

The orchestrator receives a packet

22:18

from an up link interface.

22:21

It uses the distribution mode algorithm to calculate

22:25

which port

22:26

down Lakeport.

22:29

That connection should be handled by

22:30

and and the algorithm guarantees it will always be a down link port that

22:36

security gateway module is

22:38

looked into,

22:40

so it'll calculate that it needs to go out this port. It will send switch the packet out that port will be received by the security Gateway module

22:48

and

22:49

that security gateway module. If this is a new connection,

22:55

will calculate

22:56

which other security gateway module in the security group should be back up

23:02

and start doing state synchronization to that security gateway module

23:07

and

23:08

and thats done over the synchronization villain.

23:12

So you have, ah, the active that's processing the traffic for the connection and the backup that's being synchronized so it has up to date state tables such as connections, table information.

23:26

And so because there's on Lee

23:32

two security gateway modules that are participating in the clustering,

23:37

you don't have the

23:41

extra overhead that the

23:44

the General Products Cluster Excel experiences

23:48

the, uh,

23:52

the maestro,

23:53

I guess, version of clustering that call it

23:56

hyper sink

23:59

limits

24:00

the overhead. And so

24:03

there's, ah, performance penalty of about 1% of throughput

24:08

her security gateway module

24:11

in the security group.

24:14

So if you have

24:15

for security gateway modules in the security group, then

24:18

you are getting

24:21

roughly 96% of the aggregate throughput

24:26

capability.

24:27

Of those four security gateway modules.

24:32

There's some overhead,

24:33

and this is much, much better than

24:36

Cluster Excel load sharing, where,

24:40

in my experience, when you get to maybe five active, active load sharing gateways in the cluster,

24:48

adding any more makes it worse because of all the overhead of synchronizing everybody to everybody

24:55

by limiting the

24:56

synchronization

24:59

me

25:00

between the active and the backup, that really eliminates a lot of the overhead

25:04

of the synchronization. Then again, it's it's about

25:07

1% penalty,

25:11

so

25:12

that wraps up the command line and ah, a little bit of trouble shooting that I wanted to show you.

25:18

Thank you very much for attending this