• Regarding passwords
• Logs where they are and how to read them
  • Read logs with the falogs command
  • The FireFlow httpd error log (/etc/httpd/logs/error_log)
  • Commands for reading logs
  • Where the logs are located
• Get back to the content menu when logged in as root
• How to show CPU, Memory and Disk use
• Handling processes
  • Verify if a specific process is running
  • Examples:
• To terminate (kill) a specific process
• To terminate (kill) all processes for analysis in Algosec
• How to terminate (kill) process for import of devices in Algosec
• How to view the version of the Algosec applications
• Restarting services
  • Restart FireFlow
  • Restart web server
  • Restart Tomcat
  • How to restart AppViz (former ABF)
• Notification configuration 2018.2 ⇒
• Email do not update in AFF after changes in AFA (LDAP or RADIUS) workaround

• Backup in gui won’t work (backup is already running error whith manual backup)
• To view speed and duplex on an interface
• Sync the database with the reports directory (problem with searching in objects)
• To clear type history in BASH
• To enable debug-mode in FireFlow (CLI)
• Verify that the garbage cleanup script have been running
• AFA traffic simulation in CLI
• Kill (shut down) stuck or big application queries (CLI)
• Low free disk space on / or /data partitions
• A short SQL-query to get all interfaces with associated IP from all the firewalls in the map
• Licens will not install in CLI
• ABF application flows will not save
• Local account admin could not login
• Cansle connectivity check in ABF
• Art / elasticsearch / kibana backup problems
• Fetchmail troubleshooting, will not get (fetch) mails
• Menubar not showing in AppViz after upgrade to A30.10
• Verify disk speed is up to standard
• Username no longer case sensative?

• Needed ports for cluster and functions
• Where the risk profiles are located
• Regex for search in Notepad++
• How to use screens in Linux
• How to identify users in the system
• BZIP2 and GZIP archiving
• TAR commands
• How to Encrypt and Decrypt Files and Directories Using Tar and OpenSSL
• How to activate debug mode in ABF
• Boostmode on and off
• To get destination NAT from firewalls in ASMS databas
• Cluster node suddanly removed from cluster
• How the user field in ABF flows work
• How to get a session id
• How to look into .tar, .zip, .bz2 files without unpacking them
• How to clean up the session database table in postgres
• Guide for LVM on new setup virtual appliance

For the passwords, do not use »> & «< sign. Gives an error in the system. algosec_conf error=1

   [dfbf1cbc] [main           ] [2021-10-25 11:23:03,066] [INFO ] [essExecutorImpl::132 ] executing external command (UUID=aiWfbTn8): sudo -H -u afa /usr/share/fa/bin/add_del_htpasswd del 'admin'
   [dfbf1cbc] [main           ] [2021-10-25 11:23:03,545] [INFO ] [essExecutorImpl::132 ] executing external command (UUID=ukJ2DuLV): export PASSWORD=$'Kaffe&Kakor' && sudo -H -u afa /usr/share/fa/bin/add_del_htpasswd add 'admin' $PASSWORD
   [dfbf1cbc] [stderr-ukJ2DuLV] [2021-10-25 11:23:04,031] [WARN ] [pl$StreamLogger::238 ] --> sh: Kakor: command not found
   [dfbf1cbc] [stderr-ukJ2DuLV] [2021-10-25 11:23:04,034] [WARN ] [pl$StreamLogger::238 ] --> Adding password for user admin
   [dfbf1cbc] [main           ] [2021-10-25 11:23:04,064] [ERROR] [ErrorMenuItem  ::33  ] An error occurred during algosec_conf menu

   [dfbf1cbc] [main           ] [2021-10-25 11:23:04,144] [INFO ] [Main           ::97  ] Force exit from algosec_conf (exit with error 1)
   [dfbf1cbc] [Thread-36      ] [2021-10-25 11:23:04,148] [INFO ] [Main           ::90  ] algosec_conf shutdown
   [dfbf1cbc] [Thread-36      ] [2021-10-25 11:23:04,149] [INFO ] [Main           ::91  ] ------------------------------------------

Login as AFA user

su afa

If you are logged in as ROOT do the su (switch user) afa command to change user to the afa user. (this works with newer version with the root user also (as of at least A30.00 ⇒)

falogs

This is an alias that does a tail with several important logs.

Tip, use this to troubleshoot login errors in real time log.

falogs | grep {username}

The FireFlow httpd error log will give a lot of useful information when encountering problems in FireFlow

Commands:

Less 
     / = search
          /[search pattern]

Tail
     tail -n 100 [log file (full path)]
-n 100 == shows the last 100 lines from the specific file

     tail -f [filename] 
-f is "follow" i.e. appends output when the file gets bigger

–AFA logs /home/afa/.fa-history (contains lots of Info-messages, use grep -v -i ‘info’) /var/log/ /var/log/messages

–Backup logs /home/afa/backupLogs.history (up till 2018.1) /var/log/algosec-ms/ms-backuprestore.log (2018.2 ⇒ 30.10.x)

–AFF logs /usr/share/fireflow/var/log/fireflow.log /var/log/aff-boot.log

–ABF logs /var/log/bflow/bflow.log

–Other

/data/afa_catalina_base/logs/catalina.out /data/log/algosec_hadr/ (hadr, install -log and others) /var/lib/pgsql/data/pg_log/postgresql-???.log /var/log/httpd/error_log /home/afa/public_html/algosec/.ht-fa-history /etc/httpd/logs/error_log

Get back to the content menu when logged in as root Enter the command:

   algosec_conf

How to show CPU, Memory and Disk use Command:

   top

Shows CPU and RAM use, press '1' to display all CPU cores, 'd' to set update interval, 'n' to set maximum tasks displayed, Shift+'P' to sort the output by CPU utilization, Shift+'M' to sort the output by Memory utilization, ‘q’ to exit

   iostat -d -x 5 3

shows the disk use

-d == Display the device utilization report -x == Display extended statistics. This option works with post 2.5 kernels since it needs /proc/diskstats file or a mounted sysfs to get the statistics. This option may also work with older kernels (e.g. 2.4) only if extended statistics are available in /proc/partitions (the kernel needs to be patched for that). 5 3 == Three reports at 5 seconds intervals.

   iotop -o

shows the disk activity as top does.

-o shows only the active i/o processes

Handling processes * Verify if a specific process is running * Command:

   ps -A | grep [processnamn]
  ps -A == shows the list of running processes, -A shows all processes
  | == pipe, sends the input from the left of the pipe to the right of the pipe.
  grep == pipes the ps -A to grep, add the processname and grep sorts out and shows only those processes.

* Examples: *

  PID		                        Process name
  27033   ?          00:00:03 	collect_gen
  27083   ?          00:00:03 	collect_gen
  27097   ?          00:00:03 	collect_gen

For a more extensive output look at the man pages for ps and grep

  ps -aef | grep collect | grep -v grep

User PID PPID path to the application running Afa 31218 31121 8 15:09 ? 00:00:02 /usr/bin/perl /usr/share/fa/bin/collect_ios -d /home/afa/algosec/monitor/CHNx_Nanj481_A_01/new_config -n CHNx_Nanj481_A_01 -m Afa 31530 31484 14 15:09 ? 00:00:03 /usr/bin/perl /usr/share/fa/bin/collect_ios -d /home/afa/algosec/monitor/USAx_hous379_01_02/new_config -n USAx_hous379_01_02 -m Afa 31824 31791 10 15:09 ? 00:00:02 /usr/bin/perl /usr/share/fa/bin/collect_ios -d /home/afa/algosec/monitor/USAx_hous379_01_01/new_config -n USAx_hous379_01_01 -m

* To terminate (kill) a specific process * Command:

   kill [process PID]

This will terminate (kill) the process with the specified Process ID. Use ps -A for the process PID.

This will terminate(killall) a process but via name not PID. command:

   killall -v -u afa -e collect_ios
-v verbose shows more output from the command
-u specify a user, in this case user afa
-e specify a certain search parameter, in this case "collect_ios"

pkill == as kill but use process name instead of PID.

   pkill [process name]

To terminate (kill) all processes for analysis in Algosec

   pkill -9 fa_master

-9 ==

* How to terminate (kill) process for import of devices in Algosec * The process is import_devices

   ps -A | grep import_devices
[output with pid]
   kill -9 [pid]

When you want to kill analysis according the report no. use the below command

   pkill -9<report_no>

How to view the version of the Algosec applications The below commands will display which version of each product is currently installed. Firewall Analyzer rpm -q fa

FireFlow rpm -q algosec-ticketing

BusinessFlow rpm -q BusinessFlow

AlgoSec Appliance rpm -q algosec-appliance

There is a script with alias that runs the commands above.

   show_version

Restarting services Handover HA/DR from primary to secondary: Choose “13. Configure HA/DR” in the startup (content) menu – then 4. Continue according to Article Number: 303 in Algosec Knowledge Center (https://knowledgebase.algosec.com/article.php?id=303)

* Restart FireFlow restart_fireflow * Restart web server /etc/init.d/httpd start or service httpd restart or systemctl restart httpd

* Restart Tomcat /etc/init.d/apache-tomcat start or service apache-tomcat restart or systemctl restart apache-tomcat * How to restart AppViz (former ABF) When you restart apache-tomcat AppViz will be restarted (and services connected to it) also.

   service apache-tomcat restart

Notification configuration 2018.2 ⇒ Notification changed to Watchdog. Configfile : /data/algosec-ms/config/watchdog_configuration.json

   
   ! For instance backup_schedule to syslog is set to false (off) as default !

See more in the AFA admin documentation page 341

Email do not update in AFF after changes in AFA (LDAP or RADIUS) workaround * Problem: The email address do not update from the AFA to AFF. The email address should synk automaticly but sometimes it is now working. * Solution/Workaround: Change the user in the database with the supplyed commands. Make sure that the user is not duplicated in AFF first. (look after the user in AFF users section in configuration menu)

## Commands ### Login to the database:

   psql -U postgres -d rt3 

### Look for the correct user. exchange '[userid]' with the user login name. Login name in the ASMS. For instans 'debugger' if the login username is debugger:

   select * from users where name = '[userid]';
   Verify that the email is missing or is wrong!

### Update the users email address. Replace the [email protected] with the correct email address:

   update users set emailaddress='[email protected]' where name='[userid]';

### Do “step 2” again to verify that the user is updated correctly:

   select * from users where name = '[userid]';

### Exit the postgres configuration mode

   \q