AWS Backup service available regions:

As of today AWS backup service is available only on following regions.

Blog for AWS backup service is mentioned below:

https://aws.amazon.com/blogs/aws/aws-backup-automate-and-centrally-manage-your-backups/

 

 

 

 

F5-Viprion-Guest-Virtual-Disk-Unreachable-Issue

Issue:

Virtual guests are in disconnected state and virtual disks are in missing state on F5 Viprion devices

Cause:

Bigip configuration files and database is corrupted

Symptom:

Unable to ping guests from Viprion host, Gateway of respective VLAN’s on viprion host is not reachable and virtual disks are missing in host device.

Resolution:

  1. Go to VCMP > Guest list
  2. Move each guest from deploy mode to configure mode
  3. Once all guests are in configure mode
  4. Login to the Host cli and run below commands

Multiple Blades:

      clsh touch /service/mcpd/forceload

      clsh reboot 

Single Blade:

     touch /service/mcpd/forceload 

     reboot –Single blade

 

 

 

AWS Autoscaling basics:

aws-autoscaling

  • Auto scaling makes our environment has desired capacity of EC2 isntances when it is needed.
  • Autoscale supports only horizontal scaling
  • If auto scaling finds unhealthy instances it is replaced with new instances by terminating the old instance.
  • Auto scaling service is free. How ever instances launched by auto scaling is chargeable.
  • Auto Scaling Group:
  • 1. It is a group of EC2 instances which participates in the auto scaling. This group contains Minimum:  Minimum number of isntances this group must contain always. Maximum: Maximum number of isntances that can participate in auto scaling. Desired: Is decided at runtime, based on the scaling policies
  • Note: We can use auto scaling with fixed group size
  • Launch Configuration: It is a template used by auto scaling for launching new isntances
  • Launch configuration contains:
  • 1. AMI
  • 2. Instance Type
  • 3. EBS volume
  • 4. Security Group
  • 5. IAM role
  • 6. SSH key pair.
  • Note: We cannot update launch configuration, we only can configure new one and attach to Auto scaling group

Checkpoint CoreXL: Part-1

  • CoreXL is a performance-enhancing technology for Security Gateways on platforms with multiple CPU cores.
  •  CoreXL enhances Security Gateway performance by enabling the processing CPU cores to concurrently perform multiple tasks.
  • CoreXL is introduced first in for the version R65 and Linux kernel 2.6.
  • Packet process steps before coreXL:
  • checkpoint-cpu
  • When a packet is coming into the CPU1 , it will run FW code.
  • The first step is to lock the firewall code
  • Once firewall code is locked it process the packet through fwchain_do
  • Once the packet is processed by a firewall it will unlock the CPU and forward the packet
  • the whole cycle is repeated all over again when another packet comes in.
  • The concern here is we have only one firewall code and only one packet can be processed by a firewall CPU and to process another packet existing FW code process should complete.
  • To better understand let’s consider we have two CPU’s as mentioned below.core-xl
  • When the first packet reaches CPU1  FW code gets locked and then firewall process the packet and now if the second packet comes to the CPU0, it will not be able to process it until FW code process complete for CPU1.
  • To overcome this issue Checkpoint introduced two components.
  • 1. Firewall Kernal instances
  • 2. Dispatcher
  • corexl-3
  • As you can see in the above diagram both firewall kernel instances will have the same policy (FW code).
  • Now two packets can process at the same time by firewall instances.
  • Checkpoint introduced dispatcher which will take a decision where the packet needs to send whether CPU-1 or CPU-0. A dispatcher will run on a separate CPU instance.
  • The advantage of CoreXL is parallel cores executing code simultaneously at the same time. An example is mentioned below.corexl-4
  • Dispatcher acts as a load balancer to distribute the traffic across multiple firewall instances.
  • Global dispatch table forwards the traffic to right core instance. If the packet is received by the wrong FW instance then you will see out of state errors.

Checkpoint Basic Troubleshooting Commands –Part-1

  • 1.cpstat os   — Gives the information about operating system details  (Gaia or Splat)
  • 2. cpwd_admin list — To verify checkpoint services
  • 3. cpstat os -f inconfig –> To verify interface details including address, MTU, Mac address etc..

cp-6

  • 4. fw getifs –> To view interace, IP and subnet details

cp-7

  • 5. show configuration interface –> To view interface, IP, Vlan and speed details
  • 6. cp_conf sic state –> verify the sic status

cp-8

  • 7. fw ctl pstat –> Verify the sync interface, connections, Fragments, NAT etc..

cp-9

 

AWS EC2 Instances

EC2 Instances:

  1. On-demand instances
  2. Reserved instances
  3. Spot instances
  4. Dedicated hosts
  5. Scheduled instances

On-demand instances:

  • These instances are chanrged per hour basis.
  • When instances are not running, there are no charges.
  • Even if instance is stopped, bill counts for EBS volumes attached to the instance.
  • Use this instance type when we need instances for short duration (1 day, 1week, one month.

Reserved Instances:

  • We can reserve instances either one or three years.
  • The advantage of reserved instance is we can save up to 70% of the cost when compared with ondemand instances
  • Once reserved purchase is done, there is no option to terminate the contract, only option is to sell it over AWS marketplace
  • Reserved instance payment options: All upfront, Partial upfront and no upfront.
  • AWS billing automatically applies discovered rates when you launch an instance that matches your purchanges RI.
  • EC2 Reserved instance has three types.
  •  1. Standard
  •  2. Convertible
  •  3. Scheduled.aws-ec2
  • RI’s can be shared across multiple accounts with in consolidated billing.

Spot Instances:

  • Amazon EC2 spot instances allow you to bid on spare Amazon EC2 computing capacity for up to 90% off the on-demand price
  • Spot instances are excess EC2 capacity that AWS tries to sell on an market exchange basis.
  • Customer defines highest willing to pay for instance. If capacity is constrained and others are willing to pay more, your instance might get terminated or stopped.
  • For “one time request”, instance is terminated and ephermal data is lost.
  • For “reqeust and maintain”, instance can be configured to terminate, hybernate or stop until price point can be met again.

Dedicated Hosts:

  • A dedicated host is a phsyical EC2 server dedicated to your use.
  • Dedicated hosts can help you reduce costs by allowing you to use your existing server-boud software license, including windows server, SQL server, SUSE linux etc.

Scheduled instances:

  • We can buy instances based on your schedule.
  • Example: if you need servers on daily, weekly, monthly basis and in dedicated hours for example: 4 to 5 hours per day, then you can go for scheduled instances.

 

 

 

 

Checkpoint-Memoryleak-Issues-due to VMalloc

Issue: Unable to push policy to Checkpoint firewalls

Cause: memory leak issue

Symptom: 

Firewallname> kernel: allocation failed: out of vmalloc space – use vmalloc=<size> to increase size

<Firewallname> kernel: printk: 29 messages suppressed.

<Firewallname> kernel: allocation failed: out of vmalloc space – use vmalloc=<size> to increase size

<Firewallname> kernel: [fw_0];FW-1: h_getvals: fw_kmalloc (92962728) failed

<Firewallname> kernel: [fw_0];FW-1: h_getvals: fw_kmalloc (93068568) failed

Resolution:

  1. Login to standby firewall
  2. Take a backup of /boot/grub/grub.conf
  3. Modify the vmalloc value from 256M to 512M or 768M for normal mode

Using VI editor

  1. Save the file using Esc+Shift+:
  2. Reboot the standby firewall
  3. Once standby firewall is up, verify the cluster status using

Cphaprob stat

  1. If cluster status is in active and standby
  2. Failover the traffic to rebooted device using below command

Clustexl_admin down

  1. Perform same procedure from 1 to 7.
  2. Failover the traffic back to original active device

AWS Security Group Characteristics:

Security group characteristics:

  • Every EC2 instance must have at least one security group.
  • The same security group can be associated with multiple EC2 instances.
  • Every EC2 instance can have max 5 security groups
  • A security group has both inbound and outbound rules
  • Security groups are stateful
  • If traffic is initiated from the internet, traffic is validated by inbound rules of security groups.
  • If traffic is initiated from EC2, his traffic is validated by outbound rules of security groups.
  • When we update rule under security group, it takes effect immediately.
  • Security group does not have explicit allow/deny, rules we add are allowed and others are implicitly denied.