Integration with identity/AAA server down-checkpoint-gaia

error
health-checks
checkpoint
gaia
Integration with identity/AAA server down-checkpoint-gaia
0

#1

Integration with identity/AAA server down-checkpoint-gaia

Vendor: checkpoint

OS: gaia

Description:
Some devices may integrate with identity or AAA servers to provide user identification, authentication and authorization services. If the integration is down, such services may be disrupted. indeni will alert if this occurs.

Remediation Steps:
Make sure that the device can communicate with the identity/AAA server, that the username and password for accessing it are correct and that it has the permissions it needs.
A way to confirming this can be found here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk91040

How does this work?
Using the Check Point command “adlog a dc” we retreive the status of the domain controllers.

Why is this important?
When using Identity Awareness it is important to make sure that the domain controllers are connected, otherwise no new events will be retrieved.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-gaia-adlog-a-dc-novsx

#! META
name: chkp-gaia-adlog-a-dc-novsx
description: check status of connected domain controllers for Identity Awareness
type: monitoring
monitoring_interval: 10 minute
requires:
    vendor: checkpoint
    os.name: gaia

#! COMMENTS
identity-integration-connection-state:
    why: |
        When using Identity Awareness it is important to make sure that the domain controllers are connected, otherwise no new events will be retrieved.
    how: |
        Using the Check Point command "adlog a dc" we retreive the status of the domain controllers.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        Listing status of domain controllers is only available from the command line interface or SmartDashboard.

#! REMOTE::SSH
${nice-path} -n 15 adlog a dc && sleep 5 && ${nice-path} -n 15 adlog a dc && sleep 5 && ${nice-path} -n 15 adlog a dc

#! PARSER::AWK

BEGIN {
	# The input is separated on many spaces.
	FS = "[ ]{3,}"
}

#Domain Name               IP Address                Events (last hour)   Connection state
/(Domain Name|IP Address|Events|Connection state)/ {
	# Parse the line into a column array.
	getColumns(trim($0), "[ ]{3,}", columns)
}


#test.local             192.168.123.50            14269                has connection
/^[a-zA-Z].+\s{2,}(?:[0-9]{1,3}\.){3}[0-9]{1,3}/ {
	# Use getColData to parse out the data for the specific column from the current line. The current line will be
	# split according to the same separator we've passed in the getColumns function (it's stored in the "columns" variable).
	# If the column cannot be found, the result of getColData is null (not "null").

	row = trim($0)
	connectionState = getColData(row, columns, "Connection state")
	ip = getColData(row, columns, "IP Address")

	if (connectionState == "has connection") {
		serverArr[ip]++
	} else if (ip in serverArr) {
		# Value exists in array but is IP do not have connection this time, do nothing
	} else {
		serverArr[ip] = 0
	}
}

END {
	for (ip in serverArr) {
		if (serverArr[ip] > 1) {
			status = 1
		} else {
			status = 0
		}
		
		tags["name"] = ip
		writeDoubleMetric("identity-integration-connection-state", tags, "gauge", 300, status)
	}
}

cross_vendor_identity_integration_down

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.ruleengine.expressions.conditions.{EndsWithRepetition, Equals => RuleEquals, Not => RuleNot, Or => RuleOr}
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library._

/**
  *
  */
case class cross_vendor_identity_integration_down() extends StateDownTemplateRule(
  ruleName = "cross_vendor_identity_integration_down",
  ruleFriendlyName = "All Devices: Integration with identity/AAA server down",
  ruleDescription = "Some devices may integrate with identity or AAA servers to provide user identification, authentication and authorization services. If the integration is down, such services may be disrupted. indeni will alert if this occurs.",
  metricName = "identity-integration-connection-state",
  applicableMetricTag = "name",
  alertItemsHeader = "Affected Servers",
  alertDescription = "Typically an administrator would not be aware of a disconnected domain controller (or identity/AAA server) until users can no longer reach resources they were previously able to, or they are now able to reach resources that were previously blocked.",
  baseRemediationText = "Make sure that the device can communicate with the identity/AAA server, that the username and password for accessing it are correct and that it has the permissions it needs.",
  historyLength = 3 /* Avoid transient issues */)(
  ConditionalRemediationSteps.VENDOR_CP -> "A way to confirming this can be found here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk91040"
)