Nat Connection Limit Nearing-checkpoint-all
Vendor: checkpoint
OS: all
Description:
Indeni will alert if the NAT connections of a device reaches its limit.
Remediation Steps:
The NAT connection table has reached near capacity. Please use the following article for reference on how to adjust the limit accordingly. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk32224.
chkp-fw_tab_stats-vsx
name: chkp-fw_tab_stats-vsx
description: Run "fw tab" on all VS's in a VSX environment
type: monitoring
monitoring_interval: 15 minute
requires:
vendor: checkpoint
vsx: 'true'
role-firewall: 'true'
asg:
neq: true
comments:
kernel-table-actual:
why: |
To check the kernel table for the VS context
how: |
By running the Checkpoint Command "fw tab" in each of the VS context
can-with-snmp: false
can-with-syslog: false
kernel-table-limit:
why: |
To check the kernel table timit for the VS context
how: |
By running the Checkpoint Command "fw tab" in each of the VS context
can-with-snmp: false
can-with-syslog: false
identity-awareness-users-actual:
why: |
To check the users registered in the "identity awareness" blade for the VS context
how: |
By running the Checkpoint Command "fw tab" in each of the VS context.
can-with-snmp: false
can-with-syslog: false
identity-awareness-users-limit:
why: |
To check the user limit for the "identity awareness" blade for the VS context
how: |
By running the Checkpoint Command "fw tab" in each of the VS context.
can-with-snmp: false
can-with-syslog: false
nat-connections:
why: |
To collect the information about nat concurrent connections over all the VS context
how: |
By Running the Check Point Command "asg perf -vs " along with "vsx stat -l" to collect and parse
the information
can-with-snmp: false
can-with-syslog: false
nat-connections-limit:
why: |
To collect the information about nat connections limit over all the VS context
how: |
By Running the Check Point Command "asg perf -vs " along with "vsx stat -l" to collect and parse
the information
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: SSH
file: fw-tab-stats-vsx.remote.1.bash
parse:
type: AWK
file: fw-tab-stats-vsx.parser.1.awk
chkp-fw_tab_stats-vsx
name: chkp-fw_tab_stats-vsx
description: Run "fw tab" on all VS's in a VSX environment
type: monitoring
monitoring_interval: 15 minute
requires:
vendor: checkpoint
vsx: 'true'
role-firewall: 'true'
asg:
neq: true
comments:
kernel-table-actual:
why: |
To check the kernel table for the VS context
how: |
By running the Checkpoint Command "fw tab" in each of the VS context
can-with-snmp: false
can-with-syslog: false
kernel-table-limit:
why: |
To check the kernel table timit for the VS context
how: |
By running the Checkpoint Command "fw tab" in each of the VS context
can-with-snmp: false
can-with-syslog: false
identity-awareness-users-actual:
why: |
To check the users registered in the "identity awareness" blade for the VS context
how: |
By running the Checkpoint Command "fw tab" in each of the VS context.
can-with-snmp: false
can-with-syslog: false
identity-awareness-users-limit:
why: |
To check the user limit for the "identity awareness" blade for the VS context
how: |
By running the Checkpoint Command "fw tab" in each of the VS context.
can-with-snmp: false
can-with-syslog: false
nat-connections:
why: |
To collect the information about nat concurrent connections over all the VS context
how: |
By Running the Check Point Command "asg perf -vs " along with "vsx stat -l" to collect and parse
the information
can-with-snmp: false
can-with-syslog: false
nat-connections-limit:
why: |
To collect the information about nat connections limit over all the VS context
how: |
By Running the Check Point Command "asg perf -vs " along with "vsx stat -l" to collect and parse
the information
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: SSH
file: fw-tab-stats-vsx.remote.1.bash
parse:
type: AWK
file: fw-tab-stats-vsx.parser.1.awk
CheckPointNatConnectionLimitNoVsxRule
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/checkpoint/CheckPointNatConnectionLimitNoVsxRule.scala