Network interface ipv4 subnet does not match across cluster members-checkpoint-gaia,secureplatform

error
high-availability
checkpoint
gaiasecureplatform
Network interface ipv4 subnet does not match across cluster members-checkpoint-gaia,secureplatform
0

#1

Network interface ipv4 subnet does not match across cluster members-checkpoint-gaia,secureplatform

Vendor: checkpoint

OS: gaia,secureplatform

Description:
Indeni will identify when two devices are part of a cluster and alert if their network interface ipv4 subnet are different.

Remediation Steps:
Ensure the network interface ipv4 subnet setting matches across devices in a cluster.

How does this work?
The subnet of the interface is retrieved by running “ifconfig -a”.

Why is this important?
To be able to search for IP addresses in indeni, this data needs to be stored.

Without Indeni how would you find this?
An administrator could login and manually check interface configuration, or use SNMP.

chkp-os-interfaces-novsx

#! META
name: chkp-os-interfaces-novsx
description: Get interface information
type: monitoring
monitoring_interval: 1 minute
requires:
    vendor: "checkpoint"
    and:
        -
            or:
                -
                    os.name: "gaia"
                -
                    os.name: "secureplatform"
        -
            or:
                -
                    vsx: 
                        neq: "true"
                -
                    mds: "true"

#! COMMENTS
network-interface-state:
    why: |
        Interfaces in the "down" state could result in downtime or reduced redundancy.
    how: |
        The state of the interface is retrieved by running "ethtool".
    without-indeni: |
        An administrator could login and manually check interface status, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP or WebUI.

network-interface-admin-state:
    why: |
        If the interface is disabled, then it is okay for it to be down. If the interface is enabled however, it should be up.
    how: |
        Retrieve the information by parsing the Gaia database in /config/active.
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP or WebUI.

network-interface-speed:
    why: |
        If the interface speed is set to a low value, this could mean auto-negotiation is not working correctly and the interface does not utilize the full bandwidth available.
    how: |
        The speed of the interface is retrieved by running "ethtool".
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP or WebUI.

network-interface-duplex:
    why: |
        If the interface has half-duplex setting, this will reduce throughput, and should be investigated.
    how: |
        The duplex of the interface is retrieved by running "ethtool".
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP or WebUI.

network-interface-ipv4-address:
    why: |
        To be able to search for IP addresses in indeni, this data needs to be stored.
    how: |
        The IP address of the interface is retrieved by running "ifconfig -a".
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP, WebUI or SmartDashboard.

network-interface-ipv4-subnet:
    why: |
        To be able to search for IP addresses in indeni, this data needs to be stored.
    how: |
        The subnet of the interface is retrieved by running "ifconfig -a".
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP, WebUI or SmartDashboard.

network-interface-type:
    why: |
        The type of interface can be useful for administrators.
    how: |
        The type of the interface is retrieved by running "ifconfig -a".
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface or SNMP.

network-interface-mtu:
    why: |
        The MTU sometimes needs to be adjusted. Storing this gives an administrator an easy way to view the MTU from a large number of devices, as well as identifying incorrectly set MTU.
    how: |
        The MTU of the interface is retrieved by running "ifconfig -a".
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP or WebUI.

network-interface-mac:
    why: |
        To be able to search for MAC addresses in indeni, this data needs to be stored.
    how: |
        The MAC address of the interface is retrieved by running "ifconfig -a".
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP or WebUI.

network-interface-description:
    why: |
        The description is an important way to identify interfaces.
    how: |
        Retrive the information by parsing the gaia database in /config/active.
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP or WebUI.

network-interface-tx-bytes:
    why: |
        It is useful to know how much data has been transmitted by the interface.
    how: |
        How many bytes sent by the interface is retrieved by running "ifconfig -a".
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP or WebUI.

network-interface-rx-bytes:
    why: |
        It is useful to know how much data has been received by the interface.
    how: |
        How many bytes received by the interface is retrieved by running "ifconfig -a".
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP or WebUI.

network-interface-tx-packets:
    why: |
        It is useful to know how many packets have been transmitted by the interface.
    how: |
        How many packets sent by the interface is retrieved by running "ifconfig -a".
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP or WebUI.

network-interface-rx-packets:
    why: |
        It is useful to know how many packets have been received by the interface.
    how: |
        How many packets received by the interface is retrieved by running "ifconfig -a".
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP or WebUI.

network-interface-tx-errors:
    why: |
        Transmit errors on an interface could indicate a problem.
    how: |
        The amount of transmit errors for the interface is retrieved by running "ifconfig -a".
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP or WebUI.

network-interface-rx-dropped:
    why: |
        Dropped packets on an interface could indicate a problem and potential traffic loss.
    how: |
        The amount of receive drops for the interface is retrieved by running "ifconfig -a".
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP or WebUI.

network-interface-tx-overruns:
    why: |
        Transmit overruns on an interface could indicate a problem.
    how: |
        The amount of transmit overruns for the interface is retrieved by running "ifconfig -a".
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP or WebUI.

network-interface-rx-overruns:
    why: |
        Receive overruns on an interface could indicate a problem.
    how: |
        The amount of receive overruns for the interface is retrieved by running "ifconfig -a".
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP or WebUI.

network-interface-tx-carrier:
    why: |
        A high carrier number could mean that the link is flapping.
    how: |
        The carrier counter for the interface is retrieved by running "ifconfig -a".
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP or WebUI.

network-interface-rx-frame:
    why: |
        A high frame number means a lot of packages did not end on a 32bit/4 byte boundary.
    how: |
        The frame counter for the interface is retrieved by running "ifconfig -a".
    without-indeni: |
        An administrator could login and manually check interface configuration, or use SNMP.
    can-with-snmp: true
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface, SNMP or WebUI.

network-interfaces:
    skip-documentation: true

network-interface-:
    skip-documentation: true

#! REMOTE::SSH
${nice-path} -n 15 ifconfig -a|grep "HWaddr"| awk {'print $1'}| while read interface; do ${nice-path} -n 15 ifconfig $interface && ${nice-path} -n 15 ethtool -i $interface && ${nice-path} -n 15 ethtool $interface ; ${nice-path} -n 15 grep "interface:$interface" /config/active; done ; ifconfig |awk '/^[a-zA-Z]/ { print "enabled: " $1 }'


#! PARSER::AWK

function getValue(s){
	sub(/^.+:/, "", s)
	return s
}

# Function to calculate number of binary 1s in a decimal number
function count1s(N) {
	r = ""                    # initialize result to empty (not 0)
	while (N != 0) {            # as long as number still has a value
		r = ((N%2)?"1":"0") r   # prepend the modulos2 to the result
		N = int(N/2)            # shift right (integer division by 2)
	}

	# count number of 1s
	r = gsub(/1/,"",r)
	# Return result
	return r
}

# Function to convert a subnetMask (example: 255.255.255.0) to subnet prefix (example: 24)
function subnetMaskToPrefix(subnetMask) {
	split(subnetMask, subnetMaskArr, "\\.")
	prefix = count1s(subnetMaskArr[1]) + count1s(subnetMaskArr[2]) + count1s(subnetMaskArr[3]) + count1s(subnetMaskArr[4])
	return prefix
}

############
# Script explanation: We should avoid running clish commands due to the excessive logs in /var/log/messages that creates. So ifconfig and parsing /config/active instead.
###########

#eth0        Link encap:Ethernet  HWaddr 00:0C:29:FF:5B:0C
/Link encap:/ {

	interfaceName = $1
	statTags["name"] = interfaceName
	interfaces[interfaceName, "name"] = interfaceName
	adminStateArr[interfaceName] =  0
	
	# Type
	type = getValue($3)
	writeComplexMetricString("network-interface-type", statTags, type)
	
	# MAC
	writeComplexMetricString("network-interface-mac", statTags, $5)

	next
}


#inet addr:192.168.245.2  Bcast:192.168.245.255  Mask:255.255.255.0
/inet addr:/ {
	ip = getValue($2)
        netMask = getValue($4)
	#subnetLen = subnetMaskToPrefix(netMask)
	
        ipTags["name"] = interfaceName
        ipTags["im.identity-tags"] = "name"
        ipTags["im.dstype.displaytype"] = "string"

	writeComplexMetricStringWithLiveConfig("network-interface-ipv4-address", ipTags, ip, "Network Interfaces - IPv4 Address")
	writeComplexMetricStringWithLiveConfig("network-interface-ipv4-subnet", ipTags, netMask, "Network Interfaces - IPv4 Netmask")

	next
}



#BROADCAST MULTICAST  MTU:1500  Metric:1
#UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
/MTU/ {
	# MTU
	mtu = getValue($(NF-1))
	interfaces[interfaceName, "mtu"] = mtu
	writeComplexMetricString("network-interface-mtu", statTags, mtu)

	next
}


#       TX bytes:2096249117 packets:2975595223 errors:0 dropped:0 overruns:0 carrier:0
#       RX bytes:3891794260 packets:264187186 errors:0 dropped:0 overruns:0 frame:0
#       RX bytes:3964467449 (3.6 GiB)  TX bytes:922468769 (879.7 MiB)
#       RX packets:123982210 errors:0 dropped:0 overruns:0 frame:0
#       TX packets:61771739 errors:0 dropped:0 overruns:0 carrier:0
/(X bytes:|X packets:)/ {

	# Go over the line, field by field.
	for (i = 1; i<=NF; i++) {

		# Detect if current field contains RX or TX.
		#RX
		if ($i ~ /^(RX|TX)$/) {
			metricPrefix = tolower($i)
		}

		# Detect if the current field is data that should be stored
		#bytes:3964467449
		#errors:0
		if ($i ~ /[a-z]:[0-9]+$/) {
			split($i, statParts, ":")
			name = statParts[1]
			value = statParts[2]
			writeDoubleMetricWithLiveConfig("network-interface-" metricPrefix "-" name, statTags, "gauge", "60", value, "Network Interfaces - " metricPrefix " " name, "number", "name")
		}
	}

	next
}

#driver: vmxnet3
/driver:/ {
	interfaces[interfaceName, "driver"] = $2

	next
}

#Speed: 100Mb/s
/Speed:/ {
	speed = $2
	gsub(/b\/s/, "", speed)
        # speed metric need special tags for alert purpose
        speed_tags["name"] = interfaceName
        speed_tags["alert-item-port-speed"] = interfaceName "-" speed
	writeComplexMetricString("network-interface-speed", speed_tags, speed)

	next
}

#Duplex: Full
/Duplex:/ {
	duplex = tolower($2)
	writeComplexMetricString("network-interface-duplex", statTags, duplex)

	next
}


#Link detected: yes
/Link detected:/ {
	if ($3 == "yes") {
		linkstate = 1
	} else {
		linkstate = 0
	}
	writeDoubleMetricWithLiveConfig("network-interface-state", statTags, "gauge", "60", linkstate, "Network Interfaces - Up/Down", "state", "name")

	next
}

#Auto-negotiation: on
/Auto-negotiation:/ {
	interfaces[interfaceName, "auto-negotiation"] = $2

	next
}

#interface:eth2:state on
/interface:[a-z]+[0-9]+:state/ {

	# Admin state
	if ($2 != "off") {
		adminState = 1
	} else {
		adminState = 0
	}
	adminStateArr[interfaceName] = adminState
	
	# If we found data using the parsing of the /config/active file, we do not need to use the standard linux way.
	interfaceStateGaia = 1

	next
}

#interface:eth1:comments Private2\ lala
#interface:eth1:comments Test
/interface:[a-z]+[0-9]+:comments/ {
	# If the comment is in two words or more, a backslash is inserted. We need to remove it
	confLine = $0
	gsub(/interface:[a-z]+[0-9]+:comments/, "", confLine)
	gsub(/(\\)/, "", confLine)
	writeComplexMetricString("network-interface-description", statTags, trim(confLine))

	next
}

#enabled: eth2
/^enabled:/ {
	if (interfaceStateGaia != 1) {
		adminStateArr[$2] = 1
	}

	next
}


END {
	writeComplexMetricObjectArray("network-interfaces", null, interfaces)
	
	for (id in adminStateArr) {
		statTags["name"] = id
		adminState = adminStateArr[id]
		writeDoubleMetricWithLiveConfig("network-interface-admin-state", statTags, "gauge", "60", adminState, "Network Interfaces - Enabled/Disabed", "state", "name")
	}
}

CrossVendorClusterInterfaceIpv4SubnetVsx

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.{ConditionalRemediationSteps, SnapshotComparisonTemplateRule}
import com.indeni.server.common.data.conditions.{Equals => DataEquals}

/**
  *
  */
case class CrossVendorClusterInterfaceIpv4SubnetVsx(context: RuleContext) extends SnapshotComparisonTemplateRule(context,
  ruleName = "CrossVendorClusterInterfaceIpv4SubnetVsx",
  ruleFriendlyName = "Clustered Devices: Network interface ipv4 subnet does not match across cluster members",
  ruleDescription = "Indeni will identify when two devices are part of a cluster and alert if their network interface ipv4 subnet are different.",
  metricName = "network-interface-ipv4-subnet",
  applicableMetricTag = "name",
  descriptionMetricTag = "vs.name",
  metaCondition = DataEquals("vsx", "true"),
  isArray = false,
  alertDescription = "Devices that are part of a cluster must have the same network interface ipv4 subnet setting. Review the differences below.",
  baseRemediationText = "Ensure the network interface ipv4 subnet setting matches across devices in a cluster.")()


case class CrossVendorClusterInterfaceIpv4SubnetNonVsx(context: RuleContext) extends SnapshotComparisonTemplateRule(context,
  ruleName = "CrossVendorClusterInterfaceIpv4SubnetNonVsx",
  ruleFriendlyName = "Clustered Devices: Network interface ipv4 subnet does not match across cluster members",
  ruleDescription = "Indeni will identify when two devices are part of a cluster and alert if their network interface ipv4 subnet are different.",
  metricName = "network-interface-ipv4-subnet",
  applicableMetricTag = "name",
  metaCondition = !DataEquals("vsx", "true"),
  isArray = false,
  alertDescription = "Devices that are part of a cluster must have the same network interface ipv4 subnet setting. Review the differences below.",
  baseRemediationText = "Ensure the network interface ipv4 subnet setting matches across devices in a cluster.")()