In CoreXL a single core shouldn't handle both interface interrupts and fw worker-checkpoint-gaia,secureplatform

In CoreXL a single core shouldn't handle both interface interrupts and fw worker-checkpoint-gaia,secureplatform
0

In CoreXL a single core shouldn’t handle both interface interrupts and fw worker-checkpoint-gaia,secureplatform

Vendor: checkpoint

OS: gaia,secureplatform

Description:
Best practices for CoreXL dictate that a single core should not be assigned to an interface AND an FW worker. indeni will trigger an issue if this is the case.

Remediation Steps:
Ensure that each CPU (such as CPU 0, CPU 1) only appears in lines which start with an interface name OR only appears in lines which start with “fw_”.

How does this work?
By listing which cores are assigned to what task, a core that share both fw_worker and SND task can be identified.

Why is this important?
For a system that has more than 2 cores, the fw_worker process should not share CPU core with the Secure Network Dispatcher (SND). For more information see https://sc1.checkpoint.com/documents/R76/CP_R76_PerformanceTuning_WebAdmin/6731.htm

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-fw-ctl-affinity-l-m

name: chkp-fw-ctl-affinity-l-m
description: Show CoreXL affinity information
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: checkpoint
    role-firewall: 'true'
    or:
    -   os.name: gaia
    -   os.name: secureplatform
comments:
    corexl-core-assigned-workers-and-nics:
        why: |
            For a system that has more than 2 cores, the fw_worker process should not share CPU core with the Secure Network Dispatcher (SND). For more information see https://sc1.checkpoint.com/documents/R76/CP_R76_PerformanceTuning_WebAdmin/6731.htm
        how: |
            By listing which cores are assigned to what task, a core that share both fw_worker and SND task can be identified.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        command: ${nice-path} -n 15 fw ctl affinity -l
    parse:
        type: AWK
        file: fw-ctl-affinity-l-m.parser.1.awk

chkp_worker_and_SND_mixed

package com.indeni.server.rules.library.core
import com.indeni.ruleengine.expressions.conditions.Equals
import com.indeni.ruleengine.expressions.core.{ConstantExpression, StatusTreeExpression}
import com.indeni.ruleengine.expressions.data.{SelectTagsExpression, SelectTimeSeriesExpression, TimeSeriesExpression}
import com.indeni.server.common.data.conditions.True
import com.indeni.server.rules.library.{ConditionalRemediationSteps, PerDeviceRule, RuleHelper}
import com.indeni.server.rules.{DeviceCategory, DeviceKey, RuleCategory, RuleContext, RuleMetadata}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class ChkpWorkerAndSNDMixedRule() extends PerDeviceRule with RuleHelper {

  override val metadata: RuleMetadata = RuleMetadata.builder("chkp_worker_and_SND_mixed", "In CoreXL a single core shouldn't handle both interface interrupts and fw worker",
    "Best practices for CoreXL dictate that a single core should not be assigned to an interface AND an FW worker. indeni will trigger an issue if this is the case.", AlertSeverity.ERROR,
    categories = Set(RuleCategory.VendorBestPractices),
    deviceCategory = DeviceCategory.CheckPointFirewalls).build()

  override def expressionTree(context: RuleContext): StatusTreeExpression = {
    val inUseValue = TimeSeriesExpression[Double]("corexl-core-assigned-workers-and-nics").last

    StatusTreeExpression(
      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),

          StatusTreeExpression(
            // The time-series we check the test condition against:
            SelectTimeSeriesExpression[Double](context.tsDao, Set("corexl-core-assigned-workers-and-nics"), denseOnly = false),

            // The condition which, if true, we have an issue. Checked against the time-series we've collected
            Equals(
              inUseValue,
              ConstantExpression(Some(1.0)))
        ).withoutInfo().asCondition()

      // Details of the alert itself
    ).withRootInfo(
        getHeadline(),
        ConstantExpression("The output of \"fw ctl affinity -l\" shows that at least one CPU is assigned to both interfaces and fw workers. This is contrary to Check Point's best practices."),
        ConditionalRemediationSteps("Ensure that each CPU (such as CPU 0, CPU 1) only appears in lines which start with an interface name OR only appears in lines which start with \"fw_\".")
    )
  }
}