Jumbo Hotfix Take mismatch across cluster members-checkpoint-all
Vendor: checkpoint
OS: all
Description:
indeni will identify when two devices are part of a cluster and alert if the jumbo hot fix installed is different.
Remediation Steps:
Compare the output of “show installer package” (under CLISH) across members of the cluster.
How does this work?
Using the Check Point command “installed_jumbo_take” we retreive the currently installed jumbo hotfixes.
Why is this important?
It is very important to make sure that devices are patched with the latest versions and hotfixes, to prevent downtime and security incidents.
Without Indeni how would you find this?
An administrator could login and manually run the command.
chkp-asg-diag-verify-newer
name: chkp-asg-diag-verify-newer
description: Check for any failures with asg diag verify
type: monitoring
monitoring_interval: 55 minute
requires:
vendor: checkpoint
asg: true
limited_availability_script: remove_this_line_to_enable_for_specific_customer
maestro-orchestrator:
neq: true
comments:
asg-test-state:
why: |
Check Point's scalable firewalls offer an on-demand diagnostic utility called "asg diag". It runs through a
series of pre-defined diagnostics on both the hardware an software configurations. The benefit in leveraging
asg diag is that it is packaged with proactive insights sourced by Check Point
how: |
Indeni runs an iteration of the asg diag across all the tests available. Because running the report can take
several minutes, Indeni pulls a report from the last iteration of the tests and identifies if any of the tests have failed
can-with-snmp: false
can-with-syslog: false
hotfix-jumbo-take:
why: |
It is very important to make sure that devices are patched with the latest versions and hotfixes, to prevent
downtime and security incidents.
how: |
Using the Check Point command "installed_jumbo_take" we retreive the currently installed jumbo hotfixes.
can-with-snmp: false
can-with-syslog: false
asg-test-state-other:
why: |
To collect the list of all the other failed tests besides the ones collected in this script.
how: |
By listing the results of all the tests collected in the scripts and updating if the particular test
failed or was successful.
can-with-snmp: false
can-with-syslog: false
asg-test-state-bridge:
why: |
To collect the test result of all the bridge interfaces
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-ips-enhancement:
why: |
To collect the test result of the staus of the IPS enhancement
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-resources:
dynamic-name: true
why: |
To collect the test result of the staus of the resources
how: |
By listing the results of all the tests not collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-hardware:
dynamic-name: true
why: |
To collect the test result of the staus of the Chassis hardware
how: |
By listing the results of all the tests not collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-f2f-quota:
dynamic-name: true
why: |
To collect the test result of the staus of the "f2f quota" to determine the any abnormal flow in traffic paterns.
how: |
By listing the results of all the tests not collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-media-details:
dynamic-name: true
why: |
To collect the test result of the staus of the "transceiver" to determine if all the transceiver are certified
how: |
By listing the results of all the tests not collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-cpu-type:
dynamic-name: true
why: |
To collect the test result of the staus of the "f2f quota" to determine the any abnormal flow in traffic paterns.
how: |
By listing the results of all the tests collected in the scripts and updating if the st failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-cores-distribution:
dynamic-name: true
why: |
To collect the test result of the staus of the "Core Distribution" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-interfaces:
dynamic-name: true
why: |
To collect the test result of the staus of the test "Interfaces" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-mac-setting:
dynamic-name: true
why: |
To collect the test result of the staus of the test "Mac Setting" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-hide-nat-range:
dynamic-name: true
why: |
To collect the test result of the staus of the test "Hide Nat Range" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-installation:
dynamic-name: true
why: |
To collect the test result of the staus of the test policy "Instalation" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-dynamic-routing:
dynamic-name: true
why: |
To collect the test result of the staus of the test "Dynamic Routing" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-user-kernel-dist:
dynamic-name: true
why: |
To ensure uniform information about the distribution mode configuration in diffrent locations
how: |
By listing the result of collected tests and updating if the test failed or was successful.
asg-test-state-arp-consistency:
dynamic-name: true
why: |
To collect the test result of the staus of the test "Arp Consistency" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-processes:
dynamic-name: true
why: |
To collect the test result of the staus of the test "Processes" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-chassis-id:
dynamic-name: true
why: |
To collect the test result of the staus of the test "Chassis ID" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-performance-hogs:
dynamic-name: true
why: |
To collect the test result of the staus of the test "Performance hogs" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-security-group:
dynamic-name: true
why: |
To collect the test result of the staus of the test "Security Group" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-local-arp:
dynamic-name: true
why: |
To collect the test result of the staus of the test "Local Arp" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-acl-filter:
dynamic-name: true
why: |
To collect the test result of the staus of the test "ACL Filter" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-pim-neighbors:
dynamic-name: true
why: |
To collect the test result of the staus of the test "PIM neighbors" over the system.
how: |
By listing the result of collected tests and updating if the test failed or was successful.
can-with-snmp: false
can-with-syslog: false
asg-test-state-hw-utilization:
dynamic-name: true
why: |
To monitor the CPU configuration, connection capacity and CoreXL status on.
how: |
By listing the result of collected tests and updating if the test failed or was successful.
can-with-snmp: false
can-with-syslog: false
asg-test-state-core-dumps:
dynamic-name: true
why: |
To collect the test result of the staus of the test "Core Dumps" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-lte:
dynamic-name: true
why: |
To collect the test result of the staus of the test "LTE" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-ipv6-route:
dynamic-name: true
why: |
To collect the test result of the staus of the test "IPv6 routes" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-swb-updates:
dynamic-name: true
why: |
To collect the test result of the staus of the test "SWB updates" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-software-versions:
dynamic-name: true
why: |
To collect the test result of the staus of the test "Software Versions" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-os-route-cache:
dynamic-name: true
why: |
To collect the test result of the staus of the test "OS Route Cache" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-amw-policy:
dynamic-name: true
why: |
To collect the test result of the staus of the test "AMW policy" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-ssm-qos:
dynamic-name: true
why: |
To collect the test result of the staus of the test "SSM QOS" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-software-provision:
dynamic-name: true
why: |
To collect the test result of the staus of the test "Software Provision" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-bmac-vmac-verify:
dynamic-name: true
why: |
To collect the test result of the VMAC and BMAC addresses across all SGMs.
how: |
By listing results of collected tests and updating if the test failed or was successful.
can-with-snmp: false
can-with-syslog: false
asg-test-state-syslog:
dynamic-name: true
why: |
To collect the test result of the staus of the test "Syslog" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-dxl-balance:
dynamic-name: true
why: |
To collect the test result of the staus of the test "DXL Balance" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-syn-defender:
dynamic-name: true
why: |
To collect the test result of the staus of the test "SYN Defender" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-igmp-consistency:
dynamic-name: true
swhy: |
To collect the test result of the staus of the test "IGMP Consistency" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-ipv4-route:
dynamic-name: true
why: |
To collect the test result of the staus of the test "IPv4 route" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-licenses:
dynamic-name: true
why: |
To collect the test result of the staus of the test "Licenses" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-policy:
dynamic-name: true
why: |
To collect the test result of the staus of the test "Policy" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-distribution-mode:
dynamic-name: true
why: |
To collect the test result of the staus of the test "Distribution mode" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-vsx-configuration:
dynamic-name: true
why: |
To collect the test result of the staus of the test "VSX configuration" over the system.
how: |
By listing the results of all the tests collected in the scripts and updating if the test failed
or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-ssm-parity-errors:
dynamic-name: true
why: |
To check if there are any "SSM parity" errors reported.
how: |
By listing the result of collected tests and updating if the test failed or was successful.
can-with-snmp: false
can-with-syslog: false
asg-test-state-ssd-health:
dynamic-name: true
why: |
To collect the test result of the staus of the "SSD health" state over the system.
how: |
By listing the results of all the tests collected in the Check Point script "asg diag verify"
and updating if the test failed or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-spi-affinity:
dynamic-name: true
why: |
To collect the test result of the staus of the "spi affinity" state over the system.
how: |
By listing the results of all the tests collected in the Check Point script "asg diag verify"
and updating if the test failed or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-system-health:
dynamic-name: true
why: |
To collect the test result of the staus of the "System Health" to determine the health of the chassis.
how: |
By listing the results of all the tests collected in the Check Point script "asg diag verify" and
updating the "Sytem Health" test if failed or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-clock:
dynamic-name: true
why: |
To collect the test result of the staus of the "Clock" to determine the clock configuration across the
chassis.
how: |
By listing the results of all the tests collected in the Check Point script "asg diag verify" and
updating the "Clock" test if failed or was successful, based on the outcome of the test.
can-with-snmp: false
can-with-syslog: false
asg-test-state-configuration-file:
dynamic-name: true
why: |
To collect the test result for consistency of the configuration file across all the SGMs.
how: |
By listing the result of collected tests and updating if the test failed or was successful.
can-with-snmp: false
can-with-syslog: false
asg-test-state-:
dynamic-name: true
why: |
The parameter is part of safe mechanism and needs to be maintained in the file
how: |
By maintaining the parameter in the file
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: SSH
file: asg-diag-verify.remote.1.bash
parse:
type: AWK
file: asg-diag-verify.parser.1.awk
checkpoint_compare_jumbo_hotfix
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/checkpoint/checkpoint_compare_jumbo_hotfix.scala