Jumbo Hotfix Take mismatch across cluster members-checkpoint-all

Jumbo Hotfix Take mismatch across cluster members-checkpoint-all
0

Jumbo Hotfix Take mismatch across cluster members-checkpoint-all

Vendor: checkpoint

OS: all

Description:
indeni will identify when two devices are part of a cluster and alert if the jumbo hot fix installed is different.

Remediation Steps:
Compare the output of “show installer package” (under CLISH) across members of the cluster.

How does this work?
Using the Check Point command “installed_jumbo_take” we retreive the currently installed jumbo hotfixes.

Why is this important?
It is very important to make sure that devices are patched with the latest versions and hotfixes, to prevent downtime and security incidents.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-asg-diag-verify-newer

name: chkp-asg-diag-verify-newer
description: Check for any failures with asg diag verify
type: monitoring
monitoring_interval: 55 minute
requires:
    vendor: checkpoint
    asg: true
    limited_availability_script: remove_this_line_to_enable_for_specific_customer
    maestro-orchestrator:
        neq: true
comments:
    asg-test-state:
        why: |
            Check Point's scalable firewalls offer an on-demand diagnostic utility called "asg diag". It runs through a
            series of pre-defined diagnostics on both the hardware an software configurations. The benefit in leveraging
            asg diag is that it is packaged with proactive insights sourced by Check Point
        how: |
            Indeni runs an iteration of the asg diag across all the tests available. Because running the report can take
            several minutes, Indeni pulls a report from the last iteration of the tests and identifies if any of the tests have failed
        can-with-snmp: false
        can-with-syslog: false

    hotfix-jumbo-take:
        why: |
            It is very important to make sure that devices are patched with the latest versions and hotfixes, to prevent
            downtime and security incidents.
        how: |
            Using the Check Point command "installed_jumbo_take" we retreive the currently installed jumbo hotfixes.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-other:
        why: |
            To collect the list of all the other failed tests besides the ones collected in this script.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the particular test
            failed or was successful.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-bridge:
        why: |
            To collect the test result of all the bridge interfaces
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-ips-enhancement:
        why: |
            To collect the test result of the staus of the IPS enhancement
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-resources:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the resources
        how: |
            By listing the results of all the tests not collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false


    asg-test-state-hardware:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the Chassis hardware
        how: |
            By listing the results of all the tests not collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-f2f-quota:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the "f2f quota" to determine the any abnormal flow in traffic paterns.
        how: |
            By listing the results of all the tests not collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-media-details:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the "transceiver" to determine if all the transceiver are certified
        how: |
            By listing the results of all the tests not collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-cpu-type:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the "f2f quota" to determine the any abnormal flow in traffic paterns.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the st failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-cores-distribution:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the "Core Distribution" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-interfaces:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "Interfaces" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-mac-setting:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "Mac Setting" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-hide-nat-range:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "Hide Nat Range" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-installation:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test  policy "Instalation" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-dynamic-routing:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "Dynamic Routing" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-user-kernel-dist:
        dynamic-name: true
        skip-documentation: true

    asg-test-state-arp-consistency:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "Arp Consistency" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-processes:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "Processes" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-chassis-id:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "Chassis ID" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-performance-hogs:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "Performance hogs" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-security-group:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "Security Group" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-local-arp:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "Local Arp" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-acl-filter:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "ACL Filter" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-pim-neighbors:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "PIM neighbors" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-hw-utilization:
        dynamic-name: true
        skip-documentation: true


    asg-test-state-core-dumps:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "Core Dumps" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-lte:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "LTE" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-ipv6-route:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "IPv6 routes" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-swb-updates:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "SWB updates" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-software-versions:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "Software Versions" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-os-route-cache:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "OS Route Cache" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-amw-policy:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "AMW policy" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-ssm-qos:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "SSM QOS" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-software-provision:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "Software Provision" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-bmac-vmac-verify:
        dynamic-name: true
        skip-documentation: true

    asg-test-state-syslog:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "Syslog" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-dxl-balance:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "DXL Balance" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-syn-defender:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "SYN Defender" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-igmp-consistency:
        dynamic-name: true
        swhy: |
            To collect the test result of the staus of the test "IGMP Consistency" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-ipv4-route:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "IPv4 route" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-licenses:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "Licenses" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-policy:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "Policy" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-distribution-mode:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "Distribution mode" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-vsx-configuration:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the test "VSX configuration" over the system.
        how: |
            By listing the results of all the tests collected in the scripts and updating if the test failed
            or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-ssm-parity-errors:
        dynamic-name: true
        why: |
            To check if there are any "SSM parity" errors reported.
        how: |
            By Checking the results of all the tests collected in the Check Point script "asg diag verify" if the test
            failed or was successful, based on the outcome of the test.

    asg-test-state-ssd-health:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the "SSD health" state over the system.
        how: |
            By listing the results of all the tests collected in the Check Point script "asg diag verify"
            and updating if the test failed or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-spi-affinity:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the "spi affinity" state over the system.
        how: |
            By listing the results of all the tests collected in the Check Point script "asg diag verify"
            and updating if the test failed or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-system-health:
        dynamic-name: true
        why: |
            To collect the test result of the staus of the "System Health" to determine the health of the chassis.
        how: |
            By listing the results of all the tests collected in the Check Point script "asg diag verify" and
            updating the "Sytem Health" test if failed or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-clock:
        dynamic-name: true
        swhy: |
            To collect the test result of the staus of the "Clock" to determine the clock configuration across the
            chassis.
        how: |
            By listing the results of all the tests collected in the Check Point script "asg diag verify" and
            updating the "Clock" test if failed or was successful, based on the outcome of the test.
        can-with-snmp: false
        can-with-syslog: false

    asg-test-state-configuration-file:
        dynamic-name: true
        skip-documentation: true

    asg-test-state-:
        skip-documentation: true
steps:
   -  run:
          type: SSH
          file: asg-diag-verify.remote.1.bash
      parse:
          type: AWK
          file: asg-diag-verify.parser.1.awk

checkpoint_compare_jumbo_hotfix

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.checkpoint

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SnapshotComparisonTemplateRule
/**
  *
  */
case class checkpoint_compare_jumbo_hotfix() extends SnapshotComparisonTemplateRule(
  ruleName = "checkpoint_compare_jumbo_hotfix",
  ruleFriendlyName = "Check Point Cluster: Jumbo Hotfix Take mismatch across cluster members",
  ruleDescription = "indeni will identify when two devices are part of a cluster and alert if the jumbo hot fix installed is different.",
  metricName = "hotfix-jumbo-take",
  isArray = false,
  alertDescription = "The members of a cluster of Check Point firewalls must have the same jumbo hot fix installed.",
  baseRemediationText = """Compare the output of "show installer package" (under CLISH) across members of the cluster.""")()