PBR rules mismatch across cluster members-checkpoint-gaia

error
high-availability
checkpoint
gaia
PBR rules mismatch across cluster members-checkpoint-gaia
0

#1

PBR rules mismatch across cluster members-checkpoint-gaia

Vendor: checkpoint

OS: gaia

Description:
indeni will identify when two devices are part of a cluster and alert if the PBR rules settings are different.

Remediation Steps:
Compare the output of “show pbr rules” (under clish) across members of the cluster.

How does this work?
By parsing the gaia configuration database, /config/active, the PBR settings are retrieved. It can also be retrieved via clish, but that creates a lot of log entries in /var/log/messages.

Why is this important?
It is important that the routing is configured the same for all cluster members of the same cluster. Otherwise there can be downtime in the event of a failover.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-gaia-clish_show_pbr_rules

#! META
name: chkp-gaia-clish_show_pbr_rules
description: run "show pbr rules" over clish
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: checkpoint
    os.name: gaia

#! COMMENTS
pbr-rules:
    why: |
        It is important that the routing is configured the same for all cluster members of the same cluster. Otherwise there can be downtime in the event of a failover.
    how: |
        By parsing the gaia configuration database, /config/active, the PBR settings are retrieved. It can also be retrieved via clish, but that creates a lot of log entries in /var/log/messages.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        Listing policy based routing rules is only available from the command line interface and WebUI.

#! REMOTE::SSH
${nice-path} -n 15 grep "routed:instance:default:pbrrules:priority" /config/active

#! PARSER::AWK


# routed:instance:default:pbrrules:priority:6:to:2.2.2.0 t
# routed:instance:default:pbrrules:priority:6:to:2.2.2.0:masklen 24
/routed:instance:default:pbrrules:priority:[0-9]+:to/ {
	split($1,splitArr,":")
	
	if(arraylen(splitArr) == 9) {
		priority = splitArr[6]

		rules[priority, "destination"] = splitArr[8] "/" $2
	}
}

# routed:instance:default:pbrrules:priority:6:from:2.3.3.0 t
# routed:instance:default:pbrrules:priority:6:from:2.3.3.0:masklen 24
/routed:instance:default:pbrrules:priority:[0-9]+:from/ {
	split($1,splitArr,":")
	
	if(arraylen(splitArr) == 9) {
		priority = splitArr[6]

		rules[priority, "source"] = splitArr[8] "/" $2
	}
}

# routed:instance:default:pbrrules:priority:6:protocol 6
/routed:instance:default:pbrrules:priority:[0-9]+:protocol/ {
	split($1,splitArr,":")
	priority = splitArr[6]
	protocol = $NF
	if (protocol == "6") {
		protocol = "TCP"
	} else if (protocol == "17") {
		protocol = "UDP"
	} else if (protocol == "1") {
		protocol = "ICMP"
	}
	
	rules[priority, "protocol"] = protocol
}

# routed:instance:default:pbrrules:priority:6:port 20
/routed:instance:default:pbrrules:priority:[0-9]+:port/ {
	split($1,splitArr,":")
	priority = splitArr[6]
	
	rules[priority, "service-port"] = $NF
}

# routed:instance:default:pbrrules:priority:6:dev eth0
/routed:instance:default:pbrrules:priority:[0-9]+:port/ {
	split($1,splitArr,":")
	priority = splitArr[6]
	
	rules[priority, "interface"] = $NF
}

# routed:instance:default:pbrrules:priority:6:table 3
/routed:instance:default:pbrrules:priority:[0-9]+:table/ {
	split($1,splitArr,":")
	priority = splitArr[6]
	
	rules[priority, "table"] = $NF
}

# routed:instance:default:pbrrules:priority:6:tname routeDefault
/routed:instance:default:pbrrules:priority:[0-9]+:tname/ {
	split($1,splitArr,":")
	priority = splitArr[6]
	
	rules[priority, "table-name"] = $NF
}

END {
	writeComplexMetricObjectArray("pbr-rules", null, rules)
}


































checkpoint_compare_pbr_rules

package com.indeni.server.rules.library.templatebased.checkpoint

import com.indeni.server.rules.library.templates.SnapshotComparisonTemplateRule
/**
  *
  */
case class checkpoint_compare_pbr_rules() extends SnapshotComparisonTemplateRule(
  ruleName = "checkpoint_compare_pbr_rules",
  ruleFriendlyName = "Check Point Cluster: PBR rules mismatch across cluster members",
  ruleDescription = "indeni will identify when two devices are part of a cluster and alert if the PBR rules settings are different.",
  metricName = "pbr-rules",
  isArray = true,
  alertDescription = "The members of a cluster of Check Point firewalls must have the same PBR (policy based routing) settings.",
  baseRemediationText = """Compare the output of "show pbr rules" (under clish) across members of the cluster.""")()