lundi 25 février 2013

Check Point SPLAT SNMPv3 memory monitoring

Basic implementation of memory monitoring using snmp can lead to false alarm.
[Expert@FW1]# free
             total       used       free     shared    buffers     cached
Mem:       8308232    8027236     280996          0     249776    5983656
-/+ buffers/cache:    1793804    6514428
Swap:     18347752          0   18347752
In the example above, the firewall is running (208772 actives connexions)
The OS reports "8027236" of "8308232" used. However, we see that the
'free' + 'buffers' + 'cached' = "280996" + "249776" + "5983656" = "6514428", which is
'logically' free for applications to use, and will be handed out by the kernel appropriately.

According to sk32206: How to determine how much Free Memory is available on Linux/SecurePlatform systems
'Free Real Memory' should be equal to
- 'Free Real Memory' in output of 'cpstat -f memory os' command
- [ ('MemFree' + 'Buffers' + 'Cached') / 1024 ] from output of 'cat /proc/meminfo' command

Check out
You'll find a very simple perl script to retrieve proper value of memory consumption.

[root@supervision plugins]# ./ -w 85 -c 95 -- -v3 -u USERNAME  -A '.xxx' -a MD5 -x DES -X 'xxxx' -l authPriv FW1
MEMORY OK: 21.57 % used; Free => 282472 Kb, Total => 8308232 Kb, Cached => 5983648 Kb, Buffered => 249772 Kb

We can compare with the result of cpstat on the firewall
[Expert@FW1]# cpstat -f memory os
Total Virtual Memory (Bytes):  27295727616
Active Virtual Memory (Bytes): 1836130304
Total Real Memory (Bytes):     8507629568
Active Real Memory (Bytes):    1836130304
Free Real Memory (Bytes):      6671499264
Memory Swaps/Sec:              -
Memory To Disk Transfers/Sec:  -

Let's do some math: 1 -(6671499264 / 8507629568) = 0.2158 => 21.58%  :-)

mardi 19 février 2013

Check Point Splat monitoring SNMPv3

Configure SNMP v3 on SecurePlatform 

[Expert@FW]# snmp user del public
[Expert@FW]# snmp user add authuser Nagios pass complexpassphrase priv privatepass
[Expert@FW]# snmp service enable

[Expert@FW]# cat /etc/snmp/snmpd.conf
master agentx
syslocation "Somewhere"
syscontact SOC - Security
sysservices 76
rocommunity PASSWORD
trap2sink PASSWORD1
cp_cleartrap 10 2
proc syslogd 1 1
disk /var 20%
cp_monitor == 2 60 "link 1 down"
cp_monitor prErrorFlag.1 != "0" 60 "process monitor"
cp_monitor dskErrorFlag.1 != 0 60 "disk monitor"
cp_monitor > 100 60 "CPU load 1 min"
cp_monitor > 90 60 "CPU load 5 min"
cp_monitor < 2000 60 "memAvailSwap"
cp_monitor < 2000 60 "memAvailReal"
cp_monitor != "active" 20 "Cluster State"
cp_monitor > 50000 20 "Firewall connections"
cp_monitor > 60000 60 "/opt hrStorageUsed"
exec maxconn /bin/sh /home/admin/

Activate Check Point MIB with cpconfig :
2.SNMP Extension

There should be 2 processes running:

Wanna get the current number of connections in real time?
[Expert@FW]# cat
/bin/cpfw_start ctl pstat | grep 'Concurrent Connections:' | sed 's/.*out of\ \([0-9]\+\).*/\1/g'

By the way to avoid snmp spam messages in /var/log/messages:
Dec 7 15:50:48 hostname snmpd[2621]: Received SNMP packet(s) from UDP: []:34665

Follow this SK: Disable verbose SNMP logging - "snmpd[PID]: Received SNMP packet(s) from UDP:"
Solution ID:            sk59023

dimanche 11 mars 2012

R75 ICA management tool unreachable

Issue: unable to connect to ICA management tool using https

Check the log file $FWDIR/log/cpca.elg 
>> "unable to get ssl params : no such file or directory" <<

Try to connect using http only:
$ cpca_client set_mgmt_tool off
$ cpca_client set_mgmt_tool on -no_ssl

If you can connect then do the following in CLI:

 - cpconfig
 - menu 6 : Certificate Authority
 - Do you want to change it (y/n) [n] ? y
 - Please enter the name of this Internal CA: <your_ICA_name> (ie: Smartcenter.intranet.test)
 - Are you sure you want to change the Internal CA name (y/n) [n] ? y
 - exit cpconfig
 - run: cpstop && cpstart
Now try to connect on https://<your-smartcenter-ip>:18265
It should work fine!

Note: CA will remain the same, no impact on certificates.

vendredi 13 janvier 2012

scp to checkpoint SPLAT

When you SCP to Checkpoint SPLAT firewall and get the error “lost connection”, this is what you may see
To activate scp file transfer with a CheckPoint SPLAT
[fw] scp cpinfo.tgz admin@ authenticity of host ‘xx.xx.xx.xx (xx.xx.xx.xx)’ can’t be established. RSA key fingerprint is 33:ff:72:0d:d6:57:53:16:d6:60:da:7e:f8:61:71:a8. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘xx.xx.xx.xx’ (RSA) to the list of known hosts.admin@xx.xx.xx.xx’s password:lost connection
To resolve this do the following
1. change the admin shell from /bin/cpshell to /bin/bash
chsh adminChanging shell for admin. New shell [/bin/cpshell]: /bin/bash
Shell changed.
==> this will allow you winscp

2. create a new file “touch /etc/scpusers”
3. edit the file and add the users you want to allow for scp
echo admin >> /etc/scpusers

cat /etc/scpusers

4. restart the ssh service
service sshd restart
 ==> this will allow you scp

5. SCP to Checkpoint SPLAT
Under Windows : pscp cpinfo_911000113_1.tgz admin@IP_SPLAT:
Under Linux : scp cpinfo_911000113_1.tgz admin@IP_SPLAT: