Support Center > Search Results > SecureKnowledge Details
How to troubleshoot Gaia Portal (WebUI)
Solution

Gaia has introduced an all-new Portal that provides full access to system configuration.

Gaia Portal (WebUI) architecture

Gaia Portal (WebUI) is powered by an Apache server running on the Security Gateway or Security Management server. The Apache server handles HTTPS requests of Gaia via a CGI interface, passing the requests to the TCL scripts. Besides this, the Apache manages the sessions using a proprietary Apache module that works in coordination with the Gaia DB and RBA roles. The Client side is based on Javascript and CSS files powered by ExtJs Javascript library. The Gaia Portal, as system portal, functions with and without multi-portal I/S. When there is no multi-portal, the HTTPS requests go directly to the Apache process listening for HTTPS connections.

Troubleshooting needs to be conducted when you have problems accessing the Gaia Portal, for example:

  • User cannot access the Gaia Portal.
  • User cannot access specific pages of the Gaia Portal.
  • Log in to Gaia Portal succeeded, but then the Gaia Portal is stuck.
  • The browser displays errors on several pages.

 

Table of Contents

  1. Browser displays an error
  2. Error on specific page in Gaia Portal
  3. Gaia Portal fails to execute a command or function
  4. Gaia Portal crashes
  5. Gaia Portal failed to load
  6. Access to Gaia Portal failed
  7. Gaia Portal failed to load showing blank page
  8. Changing the Gaia Portal port in Clish results in warning
  9. Cannot access Gaia portal, browser shows "Page cannot be displayed"
  10. Cannot connect to Gaia portal after changing the name of Security Gateway
  11. Gaia Portal is not accessible/responsive after upgrade
  12. Related solutions

 

(1) Browser displays an error

 

(2) Error on specific page in Gaia Portal

 

Click Here to Show instructions for all browsers
  • Show / Hide instructions for Google Chrome

    1. Connect to Gaia Portal using Google Chrome (but do not log in yet).

    2. Enable Developer Tools - in the menu, go to More tools - click on Developer tools (or press either F12, or CTRL+Shift+I)



    3. In the Developer Tools window, go to Network tab.

      Recording of the network log is started automatically.

      Note: It is strongly recommended to undock the Developer Tools into separate window (click on the 3 vertical dots in the upper right corner).

      Example:


    4. Log in to Gaia Portal.
      Note: The credentials are not recorded in the network log.

    5. Replicate the issue:

      1. Navigate to the problematic page / section

      2. Take the screenshot of Gaia Portal before the issue

      3. Perform the relevant actions to replicate the issue

      4. Take the screenshot of Gaia Portal after the issue


    6. Wait for 1-2 minutes.

    7. Stop recording network log - click on the red circle.

    8. Right-click on any of the files at the bottom - select Save as HAR with content - save the <IP_Address_of_Gaia_Portal>.har file on your computer.

      Example:


    9. Send the following files from the involved Gaia machine to Check Point Support:

      • CPinfo file
      • /web/cgi-bin2/*
      • /web/htdocs2/js/*
      • /var/log/messages*
      • Recorded network log (HAR file)


  • Show / Hide instructions for Firefox

    1. Connect to Gaia Portal using Firefox (but do not log in yet).

    2. Enable Developer Tools in Network mode - go to the upper right-menu - click on Developer - click on Network (or press CTRL+Shift+Q):



    3. Click on the Clock icon to start performance analysis.

      Note: It is strongly recommended to undock the Developer Tools into separate window (click on the 2-windows icon in the upper right corner).



    4. Click on the Back button to see all the loaded scripts and images.

      Example:


    5. Log in to Gaia Portal.
      Note: The credentials are not recorded in the network log.

    6. Replicate the issue:

      1. Navigate to the problematic page / section

      2. Take the screenshot of Gaia Portal before the issue

      3. Perform the relevant actions to replicate the issue

      4. Take the screenshot of Gaia Portal after the issue


    7. Wait for 1-2 minutes.

    8. Right-click on any of the files - select Save All As HAR - save the <Archive DD-MM-YY HH-MM-SS>.har file on your computer.

      Example:


    9. Send the following files from the involved Gaia machine to Check Point Support:

      • CPinfo file
      • /web/cgi-bin2/*
      • /web/htdocs2/js/*
      • /var/log/messages*
      • Recorded network log (HAR file)


  • Show / Hide instructions for Internet Explorer

    1. Download and install HttpWatch on the computer, from which you will connect to Gaia Portal.

    2. Start the HttpWatch capture (refer to HttpWatch Help file, or online version).

    3. Connect to Gaia Portal using Internet Explorer.

    4. Log in to Gaia Portal.

    5. Replicate the issue:

      1. Navigate to the problematic page / section

      2. Take the screenshot of Gaia Portal before the issue

      3. Perform the relevant actions to replicate the issue

      4. Take the screenshot of Gaia Portal after the issue


    6. Wait for 1-2 minutes.

    7. Stop the HttpWatch capture.

    8. Export the HttpWatch capture to HAR format.

    9. Send the following files from the involved Gaia machine to Check Point Support:

      • CPinfo file
      • /web/cgi-bin2/*
      • /web/htdocs2/js/*
      • /var/log/messages*
      • Exported HttpWatch capture (HAR file)

 

(3) Gaia Portal fails to execute a command or function

Check the same command in Gaia Clish:

  • If the command works correctly - Probably, this is a Gaia Portal problem.

    • Check browser logs. Refer to section "Browser displays an error".
    • Check TCL server side logs:
      • Using the browser console or Apache logs /usr/local/apache2/logs, find the name of the TCL file being accessed by the browser.
      • Every TCL file has its debug file. Edit the TCL file that is located in the the /web/cgi-bin2/ directory.
      • Look for the debug file name (should be something like /tmp/<feature>.debug).
      • Examine this log file.
    • Check /var/log/messages file to see errors of ipstcl process (the TCL interpreter).


  • If the command does not work - probably, this is Gaia Database problem. Check the /var/log/messages file.

 

(4) Gaia Portal crashes

  • Check browser logs with the browser console.

  • Check the relevant log files:
    • /var/log/messages* files
    • Apache logs in the /usr/local/apache2/logs/ directory

 

(5) Gaia Portal failed to load

The reasons for this issue can vary and may occur at different layers.
Below are steps and instructions on how to narrow the troubleshooting scope.

Show / Hide Solution
  • Check if you have connectivity to the machine from the client machine via ping.
    Capture the traffic with tcpdump to see if pings can reach the machine.

  • When browsing to the Gaia portal, check the HTTPS connections:

    • Capture the traffic with tcpdump to see that the HTTPS connections are being seen on the machine.

    • If HTTPS connections are seen on the machine, and this machine is Security Gateway / Cluster member,
      then run a simple kernel debug to check these HTTPS connections are dropped: fw ctl zdebug + drop.
      If there is a doubt, and this machine is NOT connected to any network (except your test computer),
      then try unloading the Firewall policy: fw unloadlocal (to reload the policy, run: fw fetch localhost command).

    • Check if the Multi-Portal is not routing the Gaia connections to the wrong portal.
      Run fw ctl zdebug + crypt command.
      If there is a doubt, and this machine is NOT connected to any network (except your test computer),
      then try unloading the Firewall policy to disable Multi-Portal: fw unloadlocal (to reload the policy, run: fw fetch localhost command).

    • If indeed Multi-Portal routes the Gaia connections to the wrong portal, then check that the Gaia Portal port is configured
      in SmartConsole in the corresponding object and see that the browser connects to the same port.

    • Check the Apache server logs to see if Gaia connections arrive at the Apache server:

      • Examine the files in the /usr/local/apache2/logs/  
      • Examine the files /var/log/httpd2_* and /var/log/httpd_*


  • Check the ownership and permissions of the TCL files in the /web/cgi-bin2/ directory with ls -al /web/cgi-bin2/ command.
    These TCL files should have:
    • The following ownership: admin root
    • The following permissions: -r-xr-xr-x

    Note: the httpd_dyno.tcl file located in this directory, has different permissions since it is obsolete and is not used by Gaia Portal anymore.

    To correct the ownership / permissions, run:
    • For ownership: chown -v admin:root /web/cgi-bin2/*
    • For permissions: chmod -v a=rx /web/cgi-bin2/*


  • Check the ownership and permissions of /usr/bin/cgisu file with ls -l /usr/bin/cgisu command.
    This file should have:
    • The following ownership: admin config
    • The following permissions: -r-sr-x---

    To correct the ownership / permissions, run:
    • For ownership: chown -v admin:config /usr/bin/cgisu*
    • For permissions: chmod -v 4550 /usr/bin/cgisu


  • Check that the files /web/conf/server.key and /web/conf/server.crt are not empty with the following commands:
    • cat /web/conf/server.key
    • cat /web/conf/server.crt

    Related solutions:

 

(6) Access to Gaia Portal failed

Check the ownership and permissions for /tmp directory.

This directory should have:

  • The following ownership: admin root
  • The following permissions: drwxrwxrwt

To correct the ownership / permissions, run:

  • For ownership: chown -v admin:root /tmp
  • For permissions: chmod -v a=rwxt /tmp

 

(7) Gaia Portal failed to load showing only blank page

Enable JavaScript in your browser. For more information, refer to http://www.enable-javascript.com.

 

(8) Changing the Gaia Portal port in Clish results in warning

"WARNING This command is for initial use. SSL port should be set through SmartDashboard. Changing the port may cause inconsistency with the settings on the SmartDashboard. Are you sure you want to continue?(Y/N)
[N]
"It is recommended to change the port using the Platform Portal section of the object in SmartDashboard.
Add the port to the end of the Main URL and push policy. "show web ssl-port" should now display the port in the Main URL
Show / Hide Solution

For Security Gateway:

In SmartConsole, perform:
  1. Open the Security Gateway / Cluster object and go to the "Platform Portal" pane.
  2. In the "Main URL" field, set the desired port (e.g., port 4434):
    https://IP_ADDRESS:PORT
  3. Click on OK to apply the changes.
  4. Install the security policy on this Security Gateway / Cluster object.
Note: Using Clish to change portal port on Security Gateway will be overwritten on a policy installation. After the change the httpd process can be seen listening to the new port with "netstat -lpn|grep port". Port 443 is handled by he mpdaemon and will not be listed in netstat.

For Security Management Server:

  1. Connect to command line on Security Management Server and log in to Clish.
  2. Set the desired port (e.g., port 4434):
    HostName> set web ssl-port <Port_Number>
  3. Save the changes: HostName> save config
  4. Verify that the configuration was saved:
    [Expert@HostName]# grep 'httpd:ssl_port' /config/db/initial

 

(9) Cannot access Gaia portal, browser shows "Page cannot be displayed"

  • When accessing Gaia portal, it loads for 1-2 seconds and then the browser displays the "This page cannot be displayed" message.

  • WebUI debug output according to sk84561 contains:
    [error] (17)File exists: Cannot create SSLMutex with file `/usr/local/apache2/logs/ssl_mutex'
    Configuration Failed

Show / Hide Solution 

To resolve the problem, remove the ssl_mutex file:

  1. Run # rm -r /usr/local/apache2/logs/ssl_mutex

  2. Restart the web server daemon:

    # tellpm process:httpd2
    # tellpm process:httpd2 t

 

(10) Cannot connect to Gaia portal after changing the name of Security Gateway

After the name of the Security Gateway is changed and SIC is reset with the Management server, there is a certificate error and Gaia portal page does not load.

Cause: Old certificate was not removed from the Security Gateway before changing its name.

Show / Hide Solution 
  1. In SmartConsole, go to the 'Security Gateway object -> IPSec VPN -> Repository Of Certificates Available to the Gateway', and delete the certificate that contains the old name of the gateway.

  2. If the firewall does not have the IPSEC VPN blade enabled, temporarily enable this blade under General Properties and view the Certificate(s) available to the gateway.
    Exercise caution to ensure that the certificate is issued by the Security Management server, as in the example below:

    Subject: CN=GwyC-77.10 VPN Certificate,O=Mgmt..imce48

    Issuer: O=Mgmt..imce48


  3. Ensure that the issuer name shows the Security Management server name.

  4. After successfully confirming step 3 above, click "OK" and highlight the certificate again and click "Remove".

  5. A warning will come up that the certificate will be removed and a new one will be generated--click "OK" or "yes".

  6. Go back and confirm that the new certificate now shows the new hostname.

  7. Now install policy to the Security Gateway in question, and now there should be access to the WebUI.

 

(11) Gaia Portal is not accessible/responsive after upgrade

Symptoms:

  • Gaia Portal is stuck in the loading icon after entering username and password.

  • "The URL you requested could not be found on the server" message is displayed in the Web browser.

  • "sec_error_reused_issuer_and_serial" message is displayed in the Web browser.

  • Debug of Gaia Portal per sk84561 - /var/log/httpd2_error_log file - repeatedly shows:
    Error: unable to stat file /tmp/<Name_of_Some_File>.xsl: No such file or directory, referer: https://<IP_Address>/.../cgi-bin/home.tcl

  • "No WebUI and RBA error - permission denied" is repeated in /var/log/messages

Possible reasons: 

  • CPWMD process fails to start.
  • Corruption in the SecurePlatform WebUI configuration file.
  • Wrong permissions were set to the WebUI web server files/directories.
  • Wrong permissions were set to the /tmp directory.
Show / Hide this Section

Note: Close the web browser before making any modifications. Web browsers can cache a negative connection attempt.

  1. On SecurePlatform OS only:
    Make sure that the CPWM process is working properly and not exiting or restarting itself:

    • Check the CPWMD daemon's log file /opt/spwm/log/cpwmd.elg.
      The last entry in the file should be "CPWMD is running".

    • If you constantly see the message "CPWMD going to die on signal 6", it means that there is a corruption in the configuration files. Continue to Step 2.


  2. On SecurePlatform OS only:
    Make sure that the SecurePlatform WebUI configuration file /opt/spwm/conf/cp_http_admin_server.conf is intact, does not have non-Unix characters, or other corruptions. The configuration file should look as follows:
    ## Configuration file for Check Point Web Server
    #
    # This file is dynamically created
    #
    # Last modified by admin at DATE TIME
    #
    SESSION_TIMEOUT=900
    SSL=1
    WEBROOT=/opt/spwm/www
    SERVCERT=/opt/spwm/servcert/servcert.p12
    CERTPWD=
    LOGDIR=/opt/spwm/log
    TEMPDIR=/opt/spwm/tmp
    SESSION_TIMEOUT=900
    ACTIVE=1
    ADDRESS=0.0.0.0
    PORT=4434
    

  3. On SecurePlatform OS only:
    Permissions of the WebUI server should be as follows:

    1. The directory that contains the server setup - /opt/spwm/www - should have these permissions:

      drwx------ 11 nobody nobody 4096 Aug 31 23:41 www

    2. The directory that contains the server's HTML setup - /opt/spwm/www/html - should have these permissions:

      drwx------ 8 nobody nobody 4096 Aug 31 23:42 html

    3. The files and sub-directories inside the /opt/spwm/www/html/ directory should have the following permissions:

      Note: All files inside the /opt/spwm/www/html/ directory must have "nobody:nobody" ownership.

      -rwxr-x---  1 nobody nobody 55056532 Aug 31 23:41 SmartConsole.exe
      -rwxr-x---  1 nobody nobody 55056532 Aug 31 23:42 SmartConsole_RXX.exe
      -r-x------  1 nobody nobody      857 Aug 31 23:42 appParams.js
      dr-x------  3 nobody nobody     4096 Aug 31 23:41 help
      -r--------  1 nobody nobody    18955 Aug 31 23:42 index.html
      dr-x------  3 nobody nobody     4096 Aug 31 23:41 spwm_dev_mgmt
      dr-x------  3 nobody nobody     4096 Aug 31 23:41 spwm_fw1
      dr-x------  3 nobody nobody     4096 Aug 31 23:41 spwm_network
      dr-x------  6 nobody nobody     4096 Aug 31 23:41 spwm_splat
      drwx------  3 nobody nobody     4096 Sep 11 23:12 webis
      

    Notes:

    • To view the current permissions of a file, use the 'ls -l' command on the file.

      For example, to see the permissions for the /opt/spwm/conf/cp_http_admin_server.conf file, run:

      [Expert@HostName]# ls -l /opt/spwm/conf/cp_http_admin_server.conf

    • To view the current permissions of a directory, use the 'ls -l' command on its parent directory.

      For example, to see the permissions for the /opt/spwm/www/html directory, run:

      [Expert@HostName]# ls -l /opt/spwm/www

    • To change the access permissions, use the 'chmod' command:

      [Expert@HostName]# chmod [-R] u=[rwx],g=[rwx],o=[rwx] TARGET_FILE_or_DIRECTORY

      where
      • '-R' flag should be used for recursive change (for all files inside a directory).
      • 'u=[rwx],g=[rwx],o=[rwx]' should be used for setting the specific permission for User, Group, Others.


      Run 'chmod --help' for more information.

    • To change the ownership permissions, use the 'chown' command:

      [Expert@HostName]# chown [-R] USER:GROUP TARGET_FILE_or_DIRECTORY

      where
      • '-R' flag should be used for recursive change (for all files inside a directory).


      Run 'chown --help' for more information.


  4. On SecurePlatform OS and Gaia OS:
    Permissions of the /tmp directory should be as follows:

    drwxrwxrwt 5 admin root 4096 Jan  2 11:21 /tmp
    

    Notes:

    • To view the current permissions of a directory, use the 'ls -ld' command on the directory:

      [Expert@HostName]# ls -ld /tmp

    • To change the access permissions, use the 'chmod' command:

      [Expert@HostName]# chmod [-R] u=[rwx],g=[rwx],o=[rwx] TARGET_DIRECTORY

      where
      • '-R' flag should be used for recursive change (for all files inside a directory).
      • 'u=[rwx],g=[rwx],o=[rwx]' should be used for setting the specific permission for User, Group, Others.


      To set the default permissions for the /tmp directory, run:

      [Expert@HostName]# chmod a=rwxt /tmp

      Run 'chmod --help' for more information.

    • To change the ownership permissions, use the 'chown' command:

      [Expert@HostName]# chown [-R] USER:GROUP TARGET_DIRECTORY

      where
      • '-R' flag should be used for recursive change (for all files inside a directory).


      Run 'chown --help' for more information.

 

 

Applies To:
  • This article is merged with sk83482, sk96117, sk89100 and sk65319

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment