Aggressive Aging enabled-checkpoint-False

Aggressive Aging enabled-checkpoint-False
0

Aggressive Aging enabled-checkpoint-False

Vendor: checkpoint

OS: False

Description:
Aggressive Aging turning on means the firewall is under an extreme load. If this happens, indeni will alert.

Remediation Steps:
Run “fw ctl pstat” for more information. Determine what may be causing the excessive load on the firewall.

How does this work?
indeni uses the built-in Check Point “fw ctl pstat” command to retrieve the status of the “aggressive aging” feature.

Why is this important?
If the memory utilization reaches a predetermined threshold, a feature called “aggressive aging” could be automatically enabled. This feature starts removing old TCP connections ahead of the planned expiration time. This can cause performance and traffic flow issues for applications that cannot handle this. Therefore it is very useful to know when this feature has become active.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-fw-ctl-pstat-novsx

#! META
name: chkp-fw-ctl-pstat-novsx
description: Run "fw ctl pstat" on non-vsx or VS0
type: monitoring
monitoring_interval: 1 minute
requires:
    vendor: "checkpoint"
    vsx:
        neq: "true"
    role-firewall: "true"
    asg:
        neq: "true"

#! COMMENTS
kernel-memory-usage:
    why: |
        If the firewall kernel memory becomes fully utilized, performance may be impacted and traffic may be dropped. It is critical to monitor the kernel memory's usage and handle the issue prior to full utilization.
    how: |
        Indeni uses the built-in Check Point "fw ctl pstat" command to retrieve the usage of the kernel memory.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        Listing the kernel memory is only available from the command line interface.

chkp-agressive-aging:
    why: |
        If the memory utilization reaches a predetermined threshold, a feature called "aggressive aging" could be automatically enabled. This feature starts removing old TCP connections ahead of the planned expiration time. This can cause performance and traffic flow issues for applications that cannot handle this. Therefore it is very useful to know when this feature has become active.
    how: |
        indeni uses the built-in Check Point "fw ctl pstat" command to retrieve the status of the "aggressive aging" feature.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        Listing the kernel memory is only available from the command line interface.


concurrent-connections:
    why: |
        It is possible to set a limit on how many connections a device can support. If the limit is reached, no new connections are allowed and this usually results in traffic loss.
    how: |
        indeni uses the built-in Check Point "fw ctl pstat" command to retrieve the current usage an limit.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        The current and historical number of concurrent connections is accessible through Check Point SmartView Monitor.

concurrent-connections-limit:
    skip-documentation: true

concurrent-connections-usage:
    skip-documentation: true

#! REMOTE::SSH
${nice-path} -n 15 fw ctl pstat

#! PARSER::AWK

BEGIN {
    devicename = ""
}

#  Memory used: 20% (871 MB out of 4163 MB) - below watermark

/^  Memory used.*out of.*/ {
    usage_ref = $3
    usage = substr(usage_ref, 1, length(usage_ref)-1)
    writeDoubleMetricWithLiveConfig("kernel-memory-usage", null, "gauge", "60", usage, "Kernel Memory", "percentage", "")
}

#  Aggressive Aging is not active

/^  Aggressive Aging/ {
    message = trim($0)
    if (message == "Aggressive Aging is not active") {
        chkp_agressive_aging = 0
    } else if (message == "Aggressive Aging is active") {
        chkp_agressive_aging = 1
    }
    writeDoubleMetric("chkp-agressive-aging", null, "gauge", 60, chkp_agressive_aging)
}

#  Concurrent Connections: 13 (Unlimited)
#  Concurrent Connections: 0% (5 out of 24900) - below watermark

/^  Concurrent Connections:/ {
    if ($NF == "(Unlimited)") {
        connections = $3
    } else {
        connections = $4
        sub(/\(/,"",connections)
        connection_limit = $7
        sub(/\)/,"",connection_limit)
        connection_usage = (connections/connection_limit)
    }
    writeDoubleMetricWithLiveConfig("concurrent-connections", null, "gauge", 60, connections ,"Concurrent Connections","number","")

    if (connection_limit) {
        writeDoubleMetricWithLiveConfig("concurrent-connections-limit", null, "gauge", 60, connection_limit, "Concurrent Connections Limit", "number", "")
        writeDoubleMetricWithLiveConfig("concurrent-connections-usage", null, "gauge", 60, connection_usage, "Concurrent Connections Usage", "number", "")
    }
}


check_point_aggressive_aging_vsx

package com.indeni.server.rules.library.templatebased.checkpoint

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.StateDownTemplateRule
/**
  *
  */
case class check_point_aggressive_aging_vsx() extends StateDownTemplateRule(
  ruleName = "check_point_aggressive_aging_vsx",
  ruleFriendlyName = "Check Point Firewalls (VSX): Aggressive Aging enabled",
  ruleDescription = "Aggressive Aging turning on means the firewall is under an extreme load. If this happens, indeni will alert.",
  metricName = "chkp-agressive-aging",
  applicableMetricTag = "vs.name",
  alertIfDown = false,
  alertItemsHeader = "Affected VS's",
  alertDescription = "Aggressive Aging has started operating on this device.\n\nThis alert was added per the request of <a target=\"_blank\" href=\"https://se.linkedin.com/in/johnathanbrowall\">Johnathan Browall Nordstrom</a>.",
  baseRemediationText = "Run \"fw ctl pstat\" for more information. Determine what may be causing the excessive load on the firewall.")()