Integration with identity/AAA server down-checkpoint-gaia

Integration with identity/AAA server down-checkpoint-gaia
0

Integration with identity/AAA server down-checkpoint-gaia

Vendor: checkpoint

OS: gaia

Description:
Some devices may integrate with identity or AAA servers to provide user identification, authentication and authorization services. If the integration is down, such services may be disrupted. indeni will alert if this occurs.

Remediation Steps:
Make sure that the device can communicate with the identity/AAA server, that the username and password for accessing it are correct and that it has the permissions it needs.

How does this work?
Using the Check Point command “adlog a dc” we retreive the status of the domain controllers.

Why is this important?
When using Identity Awareness it is important to make sure that the domain controllers are connected, otherwise no new events will be retrieved.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-gaia-adlog-a-dc-novsx

name: chkp-gaia-adlog-a-dc-novsx
description: Check status of connected domain controllers for Identity Awareness
type: monitoring
monitoring_interval: 10 minute
requires:
    vendor: checkpoint
    os.name: gaia
    role-firewall: 'true'
    vsx:
            neq: 'true'
comments:
    identity-integration-connection-state:
        why: |
            When using Identity Awareness it is important to make sure that the domain controllers are connected, otherwise no new events will be retrieved.
        how: |
            Using the Check Point command "adlog a dc" we retreive the status of the domain controllers.
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: Listing status of domain controllers is only available
            from the command line interface or SmartDashboard.
steps:
-   run:
        type: SSH
        command: ${nice-path} -n 15 adlog a dc && sleep 5 && ${nice-path} -n 15 adlog
            a dc && sleep 5 && ${nice-path} -n 15 adlog a dc
    parse:
        type: AWK
        file: adlog-a-dc-novsx.parser.1.awk

cross_vendor_identity_integration_down

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.ruleengine.expressions.conditions.{EndsWithRepetition, Equals => RuleEquals, Not => RuleNot, Or => RuleOr}
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.StateDownTemplateRule
import com.indeni.server.rules.RemediationStepCondition

/**
  *
  */
case class cross_vendor_identity_integration_down() extends StateDownTemplateRule(
  ruleName = "cross_vendor_identity_integration_down",
  ruleFriendlyName = "All Devices: Integration with identity/AAA server down",
  ruleDescription = "Some devices may integrate with identity or AAA servers to provide user identification, authentication and authorization services. If the integration is down, such services may be disrupted. indeni will alert if this occurs.",
  metricName = "identity-integration-connection-state",
  applicableMetricTag = "name",
  alertItemsHeader = "Affected Servers",
  alertDescription = "Typically an administrator would not be aware of a disconnected domain controller (or identity/AAA server) until users can no longer reach resources they were previously able to, or they are now able to reach resources that were previously blocked.",
  baseRemediationText = "Make sure that the device can communicate with the identity/AAA server, that the username and password for accessing it are correct and that it has the permissions it needs.",
  historyLength = 3 /* Avoid transient issues */)(
  RemediationStepCondition.VENDOR_CP -> "A way to confirming this can be found here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk91040"
)