June 2020 – indepthtechnology

AWS – Copy S3 buckets from one account to another:

June 29, 2020 Raghavendra Seshumurthy

Steps to perform S3 buckets from one account to another is mentioned below:

1. Attach a bucket policy to the source bucket in Account A.

2. Attach an AWS Identity and Access Management (IAM) policy to a user or role in Account B.

3. Use the IAM user or role in Account B to perform the cross-account copy.

Attach a bucket policy to the source bucket in Account A:

1. Get the Amazon Resource Name (ARN) of the IAM identity (user or role) in Account B (destination account).

2. From Account A, attach a bucket policy to the source bucket that allows the IAM identity in Account B to get objects, similar to the following:

Important: For the value of Principal, replace arn:aws:iam::11111111111:user/Jane with the ARN of the IAM identity in Account B.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DelegateS3Access",
            "Effect": "Allow",
            "Principal": {"AWS": "arn:aws:iam::111111111111:user/Jane"},
            "Action": ["s3:ListBucket","s3:GetObject"],
            "Resource": [
                "arn:aws:s3:::awsexamplesourcebucket/*",
                "arn:aws:s3:::awsexamplesourcebucket"
            ]
        }
    ]
}

Attach an IAM policy to a user or role in Account B

1. From Account B, create an IAM customer managed policy that allows an IAM user or role to copy objects from the source bucket in Account A to the destination bucket in Account B. The policy can be similar to the following example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::awssourcebucket",
                "arn:aws:s3:::awssourcebucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::awsdestinationbucket",
                "arn:aws:s3:::awsdestinationbucket/*"
            ]
        }
    ]
}

2. Attach the customer managed policy to the IAM user or role that you want to use to copy objects between accounts.

Use the IAM user or role in Account B to perform the cross-account copy:

After you set up the bucket policy and IAM policy, the IAM user or role in Account B can perform the copy from Account A to Account B. Then, Account B owns the copied objects.

To synchronize all content from a source bucket in Account A to a destination bucket in Account B, the IAM user or role in Account B can run the sync command using the AWS Command Line Interface (AWS CLI):

aws s3 sync s3://awssourcebucket s3://awsdestinationbucket

Disable non-working F5 Viprion blade

June 29, 2020 Raghavendra Seshumurthy

You can perform F5 viprion blade disable activity in two ways.

Disabling through CLI:

Log in to the command line
Set the VIPRION blade to Disabled by using the following command syntax:tmsh modify sys cluster default members { <slot number> { disabled } }
For example:

tmsh modify sys cluster default members { 2 { disabled } }

3. Set the VIPRION interfaces to Disabled by using the following command syntax:

tmsh modify net interface <slot number>/<interface> disabled

For example:

For single interface

tmsh modify net interface 2/1.1 disabled

For multiple interfaces

tmsh modify net interface 2/1.1 2/1.2 disabled

Webui Method:

Log in to the Configuration utility by connecting to the floating management IP address of the cluster.
Navigate to System > Clusters > Properties.
Select the box next to the desired slot.
Click Disable/Yield.

Checkpoint Database Files

June 26, 2020 Raghavendra Seshumurthy

Important checkpoint database files:

$FWDIR/conf/objects_5_0_c: It contains

Network objects
Host objects
Firewall gateway objects
Service objects

2. $FWDIR/conf/fwauth.NDB: It contains

User administrator accounts
3. $FWDIR/conf/rulebases_5_0_fws: It contains

Security rules
NAT rules

Checkpoint Services

June 25, 2020June 25, 2020 Raghavendra Seshumurthy

Checkpoint important services are mentioned below.

FWM
FWD
CPD
CPCA

1.FWM Tasks:

Serving the GUI clients
Database Tasks (Rules, objects, users etc..)
Collecting status from different firewalls
Policy compilation

2. FWD tasks:

Receiving the logs on port 257

3. CPD (Checkpoint Daemon) Tasks:

SIC
Loading policy
Status collections (AMON)

4. CPCA (Checkpoint certification Authority)

SIC certificate pulling
Certificate enrollment
CRL fetch
Admin WebUI

F5-Viprion-Commands

June 7, 2020 Raghavendra Seshumurthy

To obtain the Cluster members information, type the following command:

tmsh show sys cluster
Example:
[root@vhost:/S1-green-P:Active:Standalone] config # tmsh show sys cluster

—————————————–
Sys::Cluster: default
—————————————–
Address 192.168.1.3/24
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 1
Primary Selection Time 07/23/17 22:01:49

—————————————————————————-
| Sys::Cluster Members
| ID Address Availability State Licensed HA Clusterd Reason
—————————————————————————-
| 1 192.168.1.4 available enabled true active running Run
| 2 192.168.1.5 available enabled true active running Run
| 3 192.168.1.6 available enabled true active running Run
| 4 192.168.1.8 available enabled true active running Run

To obtain the configured vCMP guest information, type the following command:
tmsh show vcmp guest

Example:
[root@vhost:/S1-green-P:Active:Standalone] config # tmsh show vcmp guest

———————————————————————————–
Sys::Vcmp::Guest
Name Slot ID Status Requested Request Retries Uptime Comment
State Complete
———————————————————————————–
test1 3 running deployed true 0 07/23/17 22:18:16
test2 4 running deployed true 0 07/23/17 22:19:41
test3 1 running deployed true 0 07/24/17 19:24:16
test4 2 running deployed true 0 07/24/17 19:29:25
vguest1 3 running deployed true 0 07/24/17 19:28:49
vguest2 4 running deployed true 0 07/24/17 19:28:49

To access the vGuest console you may run the following command.

vconsole <guest name> <slot#>
Example:
[root@vhost:/S1-green-P:Active:Standalone] config # vconsole guest 1
Trying 127.3.0.1…
Connected to 127.3.0.1.
Escape character is ‘^]’.

BIG-IP 12.0.0 Build 0.0.606
Kernel 2.6.32-431.56.1.el6.f5.x86_64 on an x86_64
guest1.f5.com login:
[root@guest1:/S1-green-P:Active:Standalone] config #

SSH into a specific slot:
ssh <slot number>

Example:
[root@guest1:/S1-green-P:Active:Standalone] config # ssh slot2

Forcing a Primary blade to Secondary

Locate the primary slot# by running
tmsh show sys cluster
Disable the primary slot with the following command:
tmsh modify sys cluster default members { 2 { disabled } }
From the above command, the primary slot# is “2”

Shutting Down and Restarting a single VIPRION Blade

Restarting, powering off, and powering off VIPRION Blades can be done via the following commands:

Reboot a single blade:
bladectl -b <blade#> -r
Example: bladectl -b 2 -r
Power Down a single blade
bladectl -b <blade#> -p 0
Example bladectl -b 2 -p 0
Power On a single blade
bladectl -b <blade#> -p 1
Example: bladectl -b 2 -p 1