Packet drop counters increasing-checkpoint-False

error
health-checks
false
checkpoint
Packet drop counters increasing-checkpoint-False
0

#1

Packet drop counters increasing-checkpoint-False

Vendor: checkpoint

OS: False

Description:
indeni will track packet drop counters and alert if any important counters are incrementing.

Remediation Steps:
Contact your technical support provider.

How does this work?
indeni uses the built-in Check Point “asg_drop_monitor” command to retreive the number of drops.

Why is this important?
A large increase in dropped packets could mean that a new rule is blocking legitimate traffic, or that some traffic need a firewall rule to be allowed out.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-asg-drop-monitor

#! META
name: chkp-asg-drop-monitor
description: Retrieve drop data
type: monitoring
monitoring_interval: 5 minute
requires:
    vendor: checkpoint
    asg: true

#! COMMENTS
packet-drop-counter:
    why: |
        A large increase in dropped packets could mean that a new rule is blocking legitimate traffic, or that some traffic need a firewall rule to be allowed out.
    how: |
        indeni uses the built-in Check Point "asg_drop_monitor" command to retreive the number of drops.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        Listing the drops is only available from the command line interface.

#! REMOTE::SSH
cat `which asg_drop_monitor` | sed 's/watch -d -t/bash -c/' | bash

#! PARSER::AWK

BEGIN {
	ppakDropsSection = 0
}



#IP Stack qdisc drops (Tx):
#general reason                      15    PXL decision                        307
/^[a-zA-Z]/ {
	if (ppakDropsSection != 1) {
		name = $0
	} else if (ppakDropsSection == 1) {
		split($0, splitArr, /[ ]{3,}/)

		tags["name"] = splitArr[1]
		writeDoubleMetric("packet-drop-counter", tags, "counter", 300, splitArr[2])

		tags["name"] = splitArr[3]
		writeDoubleMetric("packet-drop-counter", tags, "counter", 300, splitArr[4])
	}
}

#300
/^[0-9]+$/ {
	tags["name"] = name
	writeDoubleMetric("packet-drop-counter", tags, "counter", 300, $1)
}

#Reason                Value              Reason                Value
/^Reason/ {
	ppakDropsSection = 1
}

cross_vendor_packet_drops

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.NumericThresholdOnDoubleMetricWithItemsTemplateRule
/**
  *
  */
case class cross_vendor_packet_drops() extends NumericThresholdOnDoubleMetricWithItemsTemplateRule(
  ruleName = "cross_vendor_packet_drops",
  ruleFriendlyName = "All Devices: Packet drop counters increasing",
  ruleDescription = "indeni will track packet drop counters and alert if any important counters are incrementing.",
  metricName = "packet-drop-counter",
  applicableMetricTag = "name",
  threshold = 100.0,
  alertDescription = "Some devices track the number of packets being dropped for various reasons. The current packet drop counters which are indicating dropped packets are listed below.",
  alertItemDescriptionFormat = "The drop counter is increasing at a rate of %.0f per second.",
  baseRemediationText = "Contact your technical support provider.",
  alertItemsHeader = "Affected Counters",
  itemsToIgnore = Set("flow_tcp_non_syn_drop".r, "flow_fwd_l3_bcast_drop".r, "flow_host_service_deny".r, "flow_ipv6_disabled".r, "flow_rcv_dot1q_tag_err".r, "flow_parse_l4_tcpsynfin".r, "flow_parse_l4_tcpfin".r, "flow_fwd_l3_mcast_drop".r, "^$".r))(
)