Firewall kernel memory usage high-checkpoint-False

Firewall kernel memory usage high-checkpoint-False
0

Firewall kernel memory usage high-checkpoint-False

Vendor: checkpoint

OS: False

Description:
Check Point firewalls have a memory segment dedicated to the kernel. If the kernel memory is nearing its limit, an alert will be issued.

Remediation Steps:
Determine why the firewall kernel memory is high and resolve the issue.

How does this work?
Indeni uses the built-in Check Point “fw ctl pstat” command to retrieve the usage of the kernel memory.

Why is this important?
If the firewall kernel memory becomes fully utilized, performance may be impacted and traffic may be dropped. It is critical to monitor the kernel memory’s usage and handle the issue prior to full utilization.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-fw-ctl-pstat-novsx

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/parsers/src/checkpoint/firewall/fw-ctl-pstat-novsx.ind

chkp_firewall_kernel_memory_vsx

package com.indeni.server.rules.library.checkpoint

import com.indeni.ruleengine.expressions.conditions.GreaterThanOrEqual
import com.indeni.ruleengine.expressions.core.{StatusTreeExpression, _}
import com.indeni.ruleengine.expressions.data.{SelectTagsExpression, SelectTimeSeriesExpression, TimeSeriesExpression}
import com.indeni.ruleengine.expressions.math.AverageExpression
import com.indeni.server.common.data.conditions.True
import com.indeni.server.params.ParameterDefinition
import com.indeni.server.params.ParameterDefinition.UIType
import com.indeni.server.rules._
import com.indeni.server.rules.library.{PerDeviceRule, RuleHelper}
import com.indeni.server.rules.library.checkpoint.KernelMemoryHighVsxRule.NAME
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class KernelMemoryHighVsxRule() extends PerDeviceRule with RuleHelper {

  private[library] val highThresholdParameterName = "High_Threshold_of_Kernel_Memory_usage"
  private val highThresholdParameter = new ParameterDefinition(highThresholdParameterName,
    "",
    "High Threshold of Kernel Memory Usage",
    "What is the threshold for the kernel memory usage for which once it is crossed an alert will be issued.",
    UIType.DOUBLE,
    80.0)

  override val metadata: RuleMetadata = RuleMetadata.builder(NAME, "Firewall kernel memory usage high",
    "Check Point firewalls have a memory segment dedicated to the kernel. If the kernel memory is nearing its limit, an alert will be issued.", AlertSeverity.ERROR,
    categories = Set(RuleCategory.HealthChecks), deviceCategory = DeviceCategory.CheckPointFirewallsVSX).configParameter(highThresholdParameter).build()

  override def expressionTree(context: RuleContext): StatusTreeExpression = {
    val inUseValue = AverageExpression(TimeSeriesExpression[Double]("kernel-memory-usage"))
    val thresholdValue = getParameterDouble(highThresholdParameter)

    StatusTreeExpression(
      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),

      // What constitutes an issue
        StatusTreeExpression(

          // The additional tags we care about (we'll be including this in alert data)
          SelectTagsExpression(context.tsDao, Set("vs.id","vs.name"), True),

            StatusTreeExpression(
              // The time-series we check the test condition against:
              SelectTimeSeriesExpression[Double](context.tsDao, Set("kernel-memory-usage"), denseOnly = true),

              // The condition which, if true, we have an issue. Checked against the time-series we've collected
              GreaterThanOrEqual(
                inUseValue,
                thresholdValue)

              // The Alert Item to add for this specific item
              ).withSecondaryInfo(
                scopableStringFormatExpression("${scope(\"vs.name\")} (${scope(\"vs.id\")})"),
                scopableStringFormatExpression("The firewall kernel memory in use is %.0f%% where the threshold is %.0f%%.", inUseValue, thresholdValue),
                title = "Affected VS's"
            ).asCondition()
        ).withoutInfo().asCondition()

      // Details of the alert itself
    ).withRootInfo(
        getHeadline(),
        ConstantExpression("The firewall kernel memory is high for some VS's. See the list below."),
        ConstantExpression("Determine why the firewall kernel memory is high and resolve the issue.")
    )
  }
}

object KernelMemoryHighVsxRule {

  /* --- Constants --- */

  private[checkpoint] val NAME = "chkp_firewall_kernel_memory_vsx"
}