High destination cache usage-checkpoint-gaia,secureplatform

error
health-checks
checkpoint
gaiasecureplatform
High destination cache usage-checkpoint-gaia,secureplatform
0

#1

High destination cache usage-checkpoint-gaia,secureplatform

Vendor: checkpoint

OS: gaia,secureplatform

Description:
indeni will alert when the number of entries stored in a device’s destination cache is nearing the allowed limit.

Remediation Steps:
Identify the cause of the large destination cache. If it is due to a legitimate cause, such as a high number of hosts visible on the available networks, please contact your technical support provider.
Review sk74480: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk74480

How does this work?
The current cache usage is taken from /proc/slabinfo and the limit from /proc/sys/net/ipv4/route/max_size. See Check point KB https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100110 for more information.

Why is this important?
The destination cache is used to remember routing decisions that were made by the firewall to accelerate future routing decisions. If the cache reaches its limit performance issues may occur.

Without Indeni how would you find this?
An administrator could login and manually check this from the command line interface.

chkp-os-dst-cache

#! META
name: chkp-os-dst-cache
description: checks the current cache and the limit
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: checkpoint
    or:
        -
            os.name: gaia
        -
            os.name: secureplatform
        # os.name: gaia-embedded removed per   IKP-932
        
#! COMMENTS
destination-cache-usage:
    why: |
        The destination cache is used to remember routing decisions that were made by the firewall to accelerate future routing decisions. If the cache reaches its limit performance issues may occur.
    how: |
        The current cache usage is taken from /proc/slabinfo and the limit from /proc/sys/net/ipv4/route/max_size.
        See Check point KB https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100110 for more information.
    without-indeni: |
        An administrator could login and manually check this from the command line interface.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface.

destination-cache-limit:
    skip-documentation: true

#! REMOTE::SSH
${nice-path} -n 15 cat /proc/slabinfo |grep ip_dst_cache && echo -n "max " && ${nice-path} -n 15 cat /proc/sys/net/ipv4/route/max_size

#! PARSER::AWK

# ip_dst_cache          20     48    320   12    1 : tunables   54   27    8 : slabdata      4      4      0
/ip_dst_cache/ {
	writeDoubleMetric("destination-cache-usage", null, "gauge", 300, $3)
}


# max 1048576
/max / {
	writeDoubleMetric("destination-cache-limit", null, "gauge", 300, $2)
}

chkp-os-dst-cache

#! META
name: chkp-os-dst-cache
description: checks the current cache and the limit
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: checkpoint
    or:
        -
            os.name: gaia
        -
            os.name: secureplatform
        # os.name: gaia-embedded removed per   IKP-932
        
#! COMMENTS
destination-cache-usage:
    why: |
        The destination cache is used to remember routing decisions that were made by the firewall to accelerate future routing decisions. If the cache reaches its limit performance issues may occur.
    how: |
        The current cache usage is taken from /proc/slabinfo and the limit from /proc/sys/net/ipv4/route/max_size.
        See Check point KB https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100110 for more information.
    without-indeni: |
        An administrator could login and manually check this from the command line interface.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface.

destination-cache-limit:
    skip-documentation: true

#! REMOTE::SSH
${nice-path} -n 15 cat /proc/slabinfo |grep ip_dst_cache && echo -n "max " && ${nice-path} -n 15 cat /proc/sys/net/ipv4/route/max_size

#! PARSER::AWK

# ip_dst_cache          20     48    320   12    1 : tunables   54   27    8 : slabdata      4      4      0
/ip_dst_cache/ {
	writeDoubleMetric("destination-cache-usage", null, "gauge", 300, $3)
}


# max 1048576
/max / {
	writeDoubleMetric("destination-cache-limit", null, "gauge", 300, $2)
}

cross_vendor_dst_cache_overflow

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.{ConditionalRemediationSteps, NearingCapacityTemplateRule}

/**
  *
  */
case class cross_vendor_dst_cache_overflow() extends NearingCapacityTemplateRule(
  ruleName = "cross_vendor_dst_cache_overflow",
  ruleFriendlyName = "All Devices: High destination cache usage",
  ruleDescription = "indeni will alert when the number of entries stored in a device's destination cache is nearing the allowed limit.",
  usageMetricName = "destination-cache-usage",
  limitMetricName = "destination-cache-limit",
  threshold = 80.0,
  alertDescriptionFormat = "The destination cache table has %.0f entries where the limit is %.0f. This table is used to cache routing decisions and increase the speed of traffic forwarding.",
  baseRemediationText = "Identify the cause of the large destination cache. If it is due to a legitimate cause, such as a high number of hosts visible on the available networks, please contact your technical support provider.")(
  ConditionalRemediationSteps.VENDOR_CP -> "Review sk74480: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk74480")