Firewall kernel memory usage high-checkpoint-False

error
health-checks
false
checkpoint
Firewall kernel memory usage high-checkpoint-False
0
#1

Firewall kernel memory usage high-checkpoint-False

Vendor: checkpoint

OS: False

Description:
Check Point firewalls have a memory segment dedicated to the kernel. If the kernel memory is nearing its limit, an alert will be issued.

Remediation Steps:
Determine why the firewall kernel memory is high and resolve the issue.

How does this work?
Indeni uses the built-in Check Point “fw ctl pstat” command to retrieve the usage of the kernel memory.

Why is this important?
If the firewall kernel memory becomes fully utilized, performance may be impacted and traffic may be dropped. It is critical to monitor the kernel memory’s usage and handle the issue prior to full utilization.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-fw-ctl-pstat-novsx

#! META
name: chkp-fw-ctl-pstat-novsx
description: Run "fw ctl pstat" on non-vsx or VS0
type: monitoring
monitoring_interval: 1 minute
requires:
    vendor: "checkpoint"
    vsx:
        neq: "true"
    role-firewall: "true"
    asg:
        neq: "true"

#! COMMENTS
kernel-memory-usage:
    why: |
        If the firewall kernel memory becomes fully utilized, performance may be impacted and traffic may be dropped. It is critical to monitor the kernel memory's usage and handle the issue prior to full utilization.
    how: |
        Indeni uses the built-in Check Point "fw ctl pstat" command to retrieve the usage of the kernel memory.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        Listing the kernel memory is only available from the command line interface.

chkp-agressive-aging:
    why: |
        If the memory utilization reaches a predetermined threshold, a feature called "aggressive aging" could be automatically enabled. This feature starts removing old TCP connections ahead of the planned expiration time. This can cause performance and traffic flow issues for applications that cannot handle this. Therefore it is very useful to know when this feature has become active.
    how: |
        indeni uses the built-in Check Point "fw ctl pstat" command to retrieve the status of the "aggressive aging" feature.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        Listing the kernel memory is only available from the command line interface.


concurrent-connections:
    why: |
        It is possible to set a limit on how many connections a device can support. If the limit is reached, no new connections are allowed and this usually results in traffic loss.
    how: |
        indeni uses the built-in Check Point "fw ctl pstat" command to retrieve the current usage an limit.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        The current and historical number of concurrent connections is accessible through Check Point SmartView Monitor.

concurrent-connections-limit:
    skip-documentation: true

concurrent-connections-usage:
    skip-documentation: true

#! REMOTE::SSH
${nice-path} -n 15 fw ctl pstat

#! PARSER::AWK

BEGIN {
    devicename = ""
}

#  Memory used: 20% (871 MB out of 4163 MB) - below watermark

/^  Memory used.*out of.*/ {
    usage_ref = $3
    usage = substr(usage_ref, 1, length(usage_ref)-1)
    writeDoubleMetricWithLiveConfig("kernel-memory-usage", null, "gauge", "60", usage, "Kernel Memory", "percentage", "")
}

#  Aggressive Aging is not active

/^  Aggressive Aging/ {
    message = trim($0)
    if (message == "Aggressive Aging is not active") {
        chkp_agressive_aging = 0
    } else if (message == "Aggressive Aging is active") {
        chkp_agressive_aging = 1
    }
    writeDoubleMetric("chkp-agressive-aging", null, "gauge", 60, chkp_agressive_aging)
}

#  Concurrent Connections: 13 (Unlimited)
#  Concurrent Connections: 0% (5 out of 24900) - below watermark

/^  Concurrent Connections:/ {
    if ($NF == "(Unlimited)") {
        connections = $3
    } else {
        connections = $4
        sub(/\(/,"",connections)
        connection_limit = $7
        sub(/\)/,"",connection_limit)
        connection_usage = (connections/connection_limit)
    }
    writeDoubleMetricWithLiveConfig("concurrent-connections", null, "gauge", 60, connections ,"Concurrent Connections","number","")

    if (connection_limit) {
        writeDoubleMetricWithLiveConfig("concurrent-connections-limit", null, "gauge", 60, connection_limit, "Concurrent Connections Limit", "number", "")
        writeDoubleMetricWithLiveConfig("concurrent-connections-usage", null, "gauge", 60, connection_usage, "Concurrent Connections Usage", "number", "")
    }
}


chkp_firewall_kernel_memory_vsx

package com.indeni.server.rules.library.checkpoint

import com.indeni.ruleengine.expressions.conditions.GreaterThanOrEqual
import com.indeni.ruleengine.expressions.core.{StatusTreeExpression, _}
import com.indeni.ruleengine.expressions.data.{SelectTagsExpression, SelectTimeSeriesExpression, TimeSeriesExpression}
import com.indeni.ruleengine.expressions.math.AverageExpression
import com.indeni.server.common.data.conditions.True
import com.indeni.server.params.ParameterDefinition
import com.indeni.server.params.ParameterDefinition.UIType
import com.indeni.server.rules._
import com.indeni.server.rules.library.{PerDeviceRule, RuleHelper}
import com.indeni.server.rules.library.checkpoint.KernelMemoryHighVsxRule.NAME
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class KernelMemoryHighVsxRule() extends PerDeviceRule with RuleHelper {

  private[library] val highThresholdParameterName = "High_Threshold_of_Kernel_Memory_usage"
  private val highThresholdParameter = new ParameterDefinition(highThresholdParameterName,
    "",
    "High Threshold of Kernel Memory Usage",
    "What is the threshold for the kernel memory usage for which once it is crossed an alert will be issued.",
    UIType.DOUBLE,
    80.0)

  override val metadata: RuleMetadata = RuleMetadata.builder(NAME, "Check Point Firewalls (VSX): Firewall kernel memory usage high",
    "Check Point firewalls have a memory segment dedicated to the kernel. If the kernel memory is nearing its limit, an alert will be issued.", AlertSeverity.ERROR).configParameter(highThresholdParameter).build()

  override def expressionTree(context: RuleContext): StatusTreeExpression = {
    val inUseValue = AverageExpression(TimeSeriesExpression[Double]("kernel-memory-usage"))
    val thresholdValue = getParameterDouble(highThresholdParameter)

    StatusTreeExpression(
      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),

      // What constitutes an issue
        StatusTreeExpression(

          // The additional tags we care about (we'll be including this in alert data)
          SelectTagsExpression(context.tsDao, Set("vs.id","vs.name"), True),

            StatusTreeExpression(
              // The time-series we check the test condition against:
              SelectTimeSeriesExpression[Double](context.tsDao, Set("kernel-memory-usage")),

              // The condition which, if true, we have an issue. Checked against the time-series we've collected
              GreaterThanOrEqual(
                inUseValue,
                thresholdValue)

              // The Alert Item to add for this specific item
              ).withSecondaryInfo(
                scopableStringFormatExpression("${scope(\"vs.name\")} (${scope(\"vs.id\")})"),
                scopableStringFormatExpression("The firewall kernel memory in use is %.0f%% where the threshold is %.0f%%.", inUseValue, thresholdValue),
                title = "Affected VS's"
            ).asCondition()
        ).withoutInfo().asCondition()

      // Details of the alert itself
    ).withRootInfo(
        getHeadline(),
        ConstantExpression("The firewall kernel memory is high for some VS's. See the list below."),
        ConstantExpression("Determine why the firewall kernel memory is high and resolve the issue.")
    )
  }
}

object KernelMemoryHighVsxRule {

  /* --- Constants --- */

  private[checkpoint] val NAME = "chkp_firewall_kernel_memory_vsx"
}