Firewall virtual memory usage high-checkpoint-all
Vendor: checkpoint
OS: all
Description:
Check Point firewalls running VSX have a memory segment called “virtual”. If the virtual memory is nearing its limit, an alert will be issued.
Remediation Steps:
Determine why the firewall virtual memory is high and resolve the issue.
chkp-fw-ctl-pstat-vsx
name: chkp-fw-ctl-pstat-vsx
description: Run "fw ctl pstat" on all VS's in a VSX environment.
type: monitoring
monitoring_interval: 4 minutes
requires:
vendor: checkpoint
vsx: 'true'
role-firewall: 'true'
comments:
kernel-memory-usage:
why: |
To get information about the total memory usage from machine
how: |
By reading the information in each VS context with the Check point command "fw ctl pstat"
can-with-snmp: false
can-with-syslog: false
chkp-agressive-aging:
why: |
To get information about the agressive-aging for connections if activated over the machine
how: |
By reading the information about "Agressive Aging" if "On" in each of VS context with the Check point
command "fw ctl pstat"
can-with-snmp: false
can-with-syslog: false
virtual-memory-usage:
why: |
To get information about the total virtual memory usage for the machine
how: |
By reading the information about "Virtual Memory" in each of VS context with the Check point
command "fw ctl pstat"
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: SSH
file: fw-ctl-pstat-vsx.remote.1.bash
parse:
type: AWK
file: fw-ctl-pstat-vsx.parser.1.awk
chkp_firewall_virtual_memory_vsx
package com.indeni.server.rules.library.checkpoint
import com.indeni.ruleengine.expressions.conditions.GreaterThanOrEqual
import com.indeni.ruleengine.expressions.core.{StatusTreeExpression, _}
import com.indeni.ruleengine.expressions.data.{SelectTagsExpression, SelectTimeSeriesExpression, TimeSeriesExpression}
import com.indeni.ruleengine.expressions.math.AverageExpression
import com.indeni.server.common.data.conditions.True
import com.indeni.server.params.ParameterDefinition
import com.indeni.server.params.ParameterDefinition.UIType
import com.indeni.server.rules._
import com.indeni.server.rules.library.{ConditionalRemediationSteps, PerDeviceRule, RuleHelper}
import com.indeni.server.rules.library.checkpoint.VirtualMemoryHighVsxRule.NAME
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
case class VirtualMemoryHighVsxRule() extends PerDeviceRule with RuleHelper {
private[library] val highThresholdParameterName = "High_Threshold_of_Virtual_Memory_usage"
private val highThresholdParameter = new ParameterDefinition(highThresholdParameterName,
"",
"High Threshold of Virtual Memory Usage",
"What is the threshold for the virtual memory usage for which once it is crossed an alert will be issued.",
UIType.DOUBLE,
80.0)
override val metadata: RuleMetadata = RuleMetadata.builder(NAME, "Firewall virtual memory usage high",
"Check Point firewalls running VSX have a memory segment called \"virtual\". If the virtual memory is nearing its limit, an alert will be issued.", AlertSeverity.ERROR, categories= Set(RuleCategory.HealthChecks), deviceCategory = DeviceCategory.CheckPointFirewallsVSX).configParameter(highThresholdParameter).build()
override def expressionTree(context: RuleContext): StatusTreeExpression = {
val inUseValue = AverageExpression(TimeSeriesExpression[Double]("virtual-memory-usage"))
val thresholdValue = getParameterDouble(highThresholdParameter)
StatusTreeExpression(
// Which objects to pull (normally, devices)
SelectTagsExpression(context.metaDao, Set(DeviceKey), True),
// What constitutes an issue
StatusTreeExpression(
// The additional tags we care about (we'll be including this in alert data)
SelectTagsExpression(context.tsDao, Set("vs.id","vs.name"), True),
StatusTreeExpression(
// The time-series we check the test condition against:
SelectTimeSeriesExpression[Double](context.tsDao, Set("virtual-memory-usage"), denseOnly = true),
// The condition which, if true, we have an issue. Checked against the time-series we've collected
GreaterThanOrEqual(
inUseValue,
thresholdValue)
// The Alert Item to add for this specific item
).withSecondaryInfo(
scopableStringFormatExpression("${scope(\"vs.name\")} (${scope(\"vs.id\")})"),
scopableStringFormatExpression("The firewall virtual memory in use is %.0f%% where the threshold is %.0f%%.", inUseValue, thresholdValue),
title = "Affected VS's"
).asCondition()
).withoutInfo().asCondition()
// Details of the alert itself
).withRootInfo(
getHeadline(),
ConstantExpression("The firewall virtual memory is high for some VS's. See the list below."),
ConditionalRemediationSteps("Determine why the firewall virtual memory is high and resolve the issue.")
)
}
}
object VirtualMemoryHighVsxRule {
/* --- Constants --- */
private[checkpoint] val NAME = "chkp_firewall_virtual_memory_vsx"
}