Firepower Process Management
Have you ever been in a situation where you wanted to troubleshoot a certain firepower process? Tried to kill a process, to re-start it with some debug flags but it was already re-started automatically by process manager? Well pmtool is here to help. Using pmtool you can disable services, restart processes and check dependencies between components on firepower systems.
Disclaimer
As always you should be aware of what you are doing. With great power comes great responsibility, so do not disable processes and then complain that a feature is not working anymore. Before using this utility on production systems, make sure you understand possible ceveats that could result from disabling and restarting processes on the firepower system.
pmtool
Introduction
pmtool is a binary to manage processes on firepower systems. It can be used from an FMC root shell and directly in the sfcli on firepower sensors like FTD, ASA with Firepower Services or the dedicated NGIPS.
Make sure to run pmtool as root.
|
|
Process Status
If you want to check the status of processes you can use the Status option for pmtool. Because the command will list the status for all managed daemons and tasks I have shortened the output and uploaded the full output here.
|
|
|
|
In case you only want to check a specific process you may grep for the name. In the following example we will check the status of the identity daemon named adi.
|
|
Disable/Enable Processes
In case you want to disable a process for troubleshooting reasons (e.g. start daemon manually and redirect debug output to a logfile) you can use the DisableById option for pmtool. Keep in mind that you will have to enable the process again afterwards or it wont be under ProcessManagers control again.
Before disabling a process, make sure it is actually running. If it is not running there must be some issue.
Check status of identity process
|
|
Disable identity process
|
|
By issueing the status command once again you can verify that the process has indeed been disabled
|
|
After you are done troubleshooting dont forget to enable the process again and make sure it is indeed running again
|
|
|
|
Restart Process
If you get into a situation where a process is misbehaving (e.g. SFDataCorrelator not loading URL database into snort engine, adi not connecting to pxGRID correctly, snort dropping traffic unexpected, etc.) you may restart a process. Make sure you are aware of the function of the process and how it should behave if you restart it.
For our example we will restart the ips engine processes (snort) on one of our sensors because we experience very high cpu usage that can be tracked back to snort and traffic is being dropped unexected. Be aware that restarting snort may lead to temporary traffic loss for up to a few seconds.
if you want to restart all snort processes make sure you use the restartByType keyword and not restartById
|
|