Per-virtual-system concurrent connection limit nearing-checkpoint-all
Vendor: checkpoint
OS: all
Description:
indeni will trigger an issue the number of connections in a VS is too high.
Remediation Steps:
Review why this may be happening and consider moving some of the traffic between VS’s or devices.
||Consider enabling aggressive aging if it is not yet enabled: https://sc1.checkpoint.com/documents/R76/CP_R76_IPS_AdminGuide/12857.htm#o12861",
chkp-vsx-stat-l
name: chkp-vsx-stat-l
description: Lists VS's and get general stats
type: monitoring
monitoring_interval: 5 minutes
requires:
vendor: checkpoint
vsx: 'true'
role-firewall: 'true'
asg:
neq: 'true'
comments:
concurrent-connections:
why: |
To check the concurrent connections on all the VS's to monitor the fluctuations and patterns providing
insights to the performace and other configuration changes that might be needed
how: |
By checking the outputs for all the VS and listing the concurrent connections for all the VS with checkpoint
command "vsx stat -l"
can-with-snmp: false
can-with-syslog: false
concurrent-connections-limit:
why: |
To check the Concurrent connections limit set over the contexts of each VS.
how: |
By checking the outputs for all the VS and listing the concurrent connections for all the VS with checkpoint
command "vsx stat -l"
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: SSH
command: ${nice-path} -n 15 fw vsx stat -l
parse:
type: AWK
file: vsx-stat-l.parser.1.awk
chkp-vsx-stat-l
name: chkp-vsx-stat-l
description: Lists VS's and get general stats
type: monitoring
monitoring_interval: 5 minutes
requires:
vendor: checkpoint
vsx: 'true'
role-firewall: 'true'
asg:
neq: 'true'
comments:
concurrent-connections:
why: |
To check the concurrent connections on all the VS's to monitor the fluctuations and patterns providing
insights to the performace and other configuration changes that might be needed
how: |
By checking the outputs for all the VS and listing the concurrent connections for all the VS with checkpoint
command "vsx stat -l"
can-with-snmp: false
can-with-syslog: false
concurrent-connections-limit:
why: |
To check the Concurrent connections limit set over the contexts of each VS.
how: |
By checking the outputs for all the VS and listing the concurrent connections for all the VS with checkpoint
command "vsx stat -l"
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: SSH
command: ${nice-path} -n 15 fw vsx stat -l
parse:
type: AWK
file: vsx-stat-l.parser.1.awk
concurrent_connection_limit_vsx
package com.indeni.server.rules.library.core
import com.indeni.ruleengine.expressions.OptionalExpression
import com.indeni.ruleengine.expressions.conditions.GreaterThanOrEqual
import com.indeni.ruleengine.expressions.core.{StatusTreeExpression, _}
import com.indeni.ruleengine.expressions.data.{SelectTagsExpression, SelectTimeSeriesExpression, TimeSeriesExpression}
import com.indeni.ruleengine.expressions.math.{DivExpression, TimesExpression}
import com.indeni.server.common.data.conditions.True
import com.indeni.server.params.ParameterDefinition
import com.indeni.server.params.ParameterDefinition.UIType
import com.indeni.server.rules._
import com.indeni.server.rules.library.{ConditionalRemediationSteps, PerDeviceRule, RuleHelper}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
import com.indeni.server.rules.library.core.ConcurrentConnectionsUsageVsxRule._
case class ConcurrentConnectionsUsageVsxRule() extends PerDeviceRule with RuleHelper {
private[library] val highThresholdParameterName = "High_Threshold_of_Connection_usage"
private val highThresholdParameter = new ParameterDefinition(highThresholdParameterName,
"",
"High Threshold of Concurrent Connection Usage",
"What is the threshold for the concurrent connection usage for which once it is crossed an issue will be triggered.",
UIType.DOUBLE,
80.0)
override val metadata: RuleMetadata = RuleMetadata.builder(NAME, "Per-virtual-system concurrent connection limit nearing",
"indeni will trigger an issue the number of connections in a VS is too high.", AlertSeverity.ERROR,
categories = Set(RuleCategory.HealthChecks), deviceCategory = DeviceCategory.AllDevices).configParameter(highThresholdParameter).build()
override def expressionTree(context: RuleContext): StatusTreeExpression = {
val actualValue = TimeSeriesExpression[Double]("concurrent-connections").last
val threshold: OptionalExpression[Double] = getParameterDouble(highThresholdParameter)
val limit = TimeSeriesExpression[Double]("concurrent-connections-limit").last
StatusTreeExpression(
// Which objects to pull (normally, devices)
SelectTagsExpression(context.metaDao, Set(DeviceKey), True),
// What constitutes an issue
StatusTreeExpression(
// The additional tags we care about (we'll be including this in alert data)
SelectTagsExpression(context.tsDao, Set("vs.id","vs.name"), True),
StatusTreeExpression(
// The time-series we check the test condition against:
SelectTimeSeriesExpression[Double](context.tsDao, Set("concurrent-connections", "concurrent-connections-limit"), denseOnly = false),
// The condition which, if true, we have an issue. Checked against the time-series we've collected
GreaterThanOrEqual(
actualValue,
TimesExpression(limit, DivExpression(threshold, ConstantExpression(Some(100.0)))))
// The Alert Item to add for this specific item
).withSecondaryInfo(
scopableStringFormatExpression("${scope(\"vs.name\")} (${scope(\"vs.id\")})"),
scopableStringFormatExpression("Usage of %.0f (vs limit of %.0f) is above the threshold of %.0f%%.", actualValue, limit, threshold),
title = "Affected VS's"
).asCondition()
).withoutInfo().asCondition()
).withRootInfo(
getHeadline(),
ConstantExpression("Some VS's have a high number of concurrent connections.\n\nThis issue was added per the request of <a target=\"_blank\" href=\"http://il.linkedin.com/in/motisagey\">Moti Sagey</a>."),
ConditionalRemediationSteps("Review why this may be happening and consider moving some of the traffic between VS's or devices.",
RemediationStepCondition.VENDOR_CP -> "Consider enabling aggressive aging if it is not yet enabled: https://sc1.checkpoint.com/documents/R76/CP_R76_IPS_AdminGuide/12857.htm#o12861",
RemediationStepCondition.VENDOR_PANOS -> "Compare the products and the maximum sessions allowed: https://www.paloaltonetworks.com/products/product-selection"
)
)
}
}
object ConcurrentConnectionsUsageVsxRule {
/* --- Constants --- */
private[library] val NAME = "concurrent_connection_limit_vsx"
}