In CoreXL a single core shouldn’t handle both interface interrupts and fw worker-checkpoint-gaia,secureplatform
Vendor: checkpoint
OS: gaia,secureplatform
Description:
Best practices for CoreXL dictate that a single core should not be assigned to an interface AND an FW worker. indeni will trigger an issue if this is the case.
Remediation Steps:
Ensure that each CPU (such as CPU 0, CPU 1) only appears in lines which start with an interface name OR only appears in lines which start with “fw_”.
How does this work?
By listing which cores are assigned to what task, a core that share both fw_worker and SND task can be identified.
Why is this important?
For a system that has more than 2 cores, the fw_worker process should not share CPU core with the Secure Network Dispatcher (SND). For more information see https://sc1.checkpoint.com/documents/R76/CP_R76_PerformanceTuning_WebAdmin/6731.htm
Without Indeni how would you find this?
An administrator could login and manually run the command.
chkp-fw-ctl-affinity-l-m
name: chkp-fw-ctl-affinity-l-m
description: Show CoreXL affinity information
type: monitoring
monitoring_interval: 5 minutes
requires:
vendor: checkpoint
role-firewall: 'true'
or:
- os.name: gaia
- os.name: secureplatform
comments:
corexl-core-assigned-workers-and-nics:
why: |
For a system that has more than 2 cores, the fw_worker process should not share CPU core with the Secure Network Dispatcher (SND). For more information see https://sc1.checkpoint.com/documents/R76/CP_R76_PerformanceTuning_WebAdmin/6731.htm
how: |
By listing which cores are assigned to what task, a core that share both fw_worker and SND task can be identified.
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: SSH
command: ${nice-path} -n 15 fw ctl affinity -l
parse:
type: AWK
file: fw-ctl-affinity-l-m.parser.1.awk
chkp_worker_and_SND_mixed
package com.indeni.server.rules.library.core
import com.indeni.ruleengine.expressions.conditions.Equals
import com.indeni.ruleengine.expressions.core.{ConstantExpression, StatusTreeExpression}
import com.indeni.ruleengine.expressions.data.{SelectTagsExpression, SelectTimeSeriesExpression, TimeSeriesExpression}
import com.indeni.server.common.data.conditions.True
import com.indeni.server.rules.library.{ConditionalRemediationSteps, PerDeviceRule, RuleHelper}
import com.indeni.server.rules.{DeviceCategory, DeviceKey, RuleCategory, RuleContext, RuleMetadata}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
case class ChkpWorkerAndSNDMixedRule() extends PerDeviceRule with RuleHelper {
override val metadata: RuleMetadata = RuleMetadata.builder("chkp_worker_and_SND_mixed", "In CoreXL a single core shouldn't handle both interface interrupts and fw worker",
"Best practices for CoreXL dictate that a single core should not be assigned to an interface AND an FW worker. indeni will trigger an issue if this is the case.", AlertSeverity.ERROR,
categories = Set(RuleCategory.VendorBestPractices),
deviceCategory = DeviceCategory.CheckPointFirewalls).build()
override def expressionTree(context: RuleContext): StatusTreeExpression = {
val inUseValue = TimeSeriesExpression[Double]("corexl-core-assigned-workers-and-nics").last
StatusTreeExpression(
// Which objects to pull (normally, devices)
SelectTagsExpression(context.metaDao, Set(DeviceKey), True),
StatusTreeExpression(
// The time-series we check the test condition against:
SelectTimeSeriesExpression[Double](context.tsDao, Set("corexl-core-assigned-workers-and-nics"), denseOnly = false),
// The condition which, if true, we have an issue. Checked against the time-series we've collected
Equals(
inUseValue,
ConstantExpression(Some(1.0)))
).withoutInfo().asCondition()
// Details of the alert itself
).withRootInfo(
getHeadline(),
ConstantExpression("The output of \"fw ctl affinity -l\" shows that at least one CPU is assigned to both interfaces and fw workers. This is contrary to Check Point's best practices."),
ConditionalRemediationSteps("Ensure that each CPU (such as CPU 0, CPU 1) only appears in lines which start with an interface name OR only appears in lines which start with \"fw_\".")
)
}
}