Per-virtual-system concurrent connection limit nearing-checkpoint-all

Per-virtual-system concurrent connection limit nearing-checkpoint-all
0

Per-virtual-system concurrent connection limit nearing-checkpoint-all

Vendor: checkpoint

OS: all

Description:
indeni will trigger an issue the number of connections in a VS is too high.

Remediation Steps:
Review why this may be happening and consider moving some of the traffic between VS’s or devices.
||Consider enabling aggressive aging if it is not yet enabled: https://sc1.checkpoint.com/documents/R76/CP_R76_IPS_AdminGuide/12857.htm#o12861",

chkp-vsx-stat-l

name: chkp-vsx-stat-l
description: Lists VS's and get general stats
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: checkpoint
    vsx: 'true'
    role-firewall: 'true'
    asg:
        neq: 'true'

comments:
    concurrent-connections:
        why: |
            To check the concurrent connections on all the VS's to monitor the fluctuations and patterns providing
            insights to the performace and other configuration changes that might be needed
        how: |
            By checking the outputs for all the VS and listing the concurrent connections for all the VS with checkpoint
            command "vsx stat -l"

        can-with-snmp: false
        can-with-syslog: false

    concurrent-connections-limit:
        why: |
            To check the Concurrent connections limit set over the contexts of each VS.
        how: |
            By checking the outputs for all the VS and listing the concurrent connections for all the VS with checkpoint
            command "vsx stat -l"
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        command: ${nice-path} -n 15 fw vsx stat -l
    parse:
        type: AWK
        file: vsx-stat-l.parser.1.awk

chkp-vsx-stat-l

name: chkp-vsx-stat-l
description: Lists VS's and get general stats
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: checkpoint
    vsx: 'true'
    role-firewall: 'true'
    asg:
        neq: 'true'

comments:
    concurrent-connections:
        why: |
            To check the concurrent connections on all the VS's to monitor the fluctuations and patterns providing
            insights to the performace and other configuration changes that might be needed
        how: |
            By checking the outputs for all the VS and listing the concurrent connections for all the VS with checkpoint
            command "vsx stat -l"

        can-with-snmp: false
        can-with-syslog: false

    concurrent-connections-limit:
        why: |
            To check the Concurrent connections limit set over the contexts of each VS.
        how: |
            By checking the outputs for all the VS and listing the concurrent connections for all the VS with checkpoint
            command "vsx stat -l"
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        command: ${nice-path} -n 15 fw vsx stat -l
    parse:
        type: AWK
        file: vsx-stat-l.parser.1.awk

concurrent_connection_limit_vsx

package com.indeni.server.rules.library.core

import com.indeni.ruleengine.expressions.OptionalExpression
import com.indeni.ruleengine.expressions.conditions.GreaterThanOrEqual
import com.indeni.ruleengine.expressions.core.{StatusTreeExpression, _}
import com.indeni.ruleengine.expressions.data.{SelectTagsExpression, SelectTimeSeriesExpression, TimeSeriesExpression}
import com.indeni.ruleengine.expressions.math.{DivExpression, TimesExpression}
import com.indeni.server.common.data.conditions.True
import com.indeni.server.params.ParameterDefinition
import com.indeni.server.params.ParameterDefinition.UIType
import com.indeni.server.rules._
import com.indeni.server.rules.library.{ConditionalRemediationSteps, PerDeviceRule, RuleHelper}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
import com.indeni.server.rules.library.core.ConcurrentConnectionsUsageVsxRule._

case class ConcurrentConnectionsUsageVsxRule() extends PerDeviceRule with RuleHelper {

  private[library] val highThresholdParameterName = "High_Threshold_of_Connection_usage"
  private val highThresholdParameter = new ParameterDefinition(highThresholdParameterName,
    "",
    "High Threshold of Concurrent Connection Usage",
    "What is the threshold for the concurrent connection usage for which once it is crossed an issue will be triggered.",
    UIType.DOUBLE,
    80.0)

  override val metadata: RuleMetadata = RuleMetadata.builder(NAME, "Per-virtual-system concurrent connection limit nearing",
    "indeni will trigger an issue the number of connections in a VS is too high.", AlertSeverity.ERROR,
    categories = Set(RuleCategory.HealthChecks), deviceCategory = DeviceCategory.AllDevices).configParameter(highThresholdParameter).build()

  override def expressionTree(context: RuleContext): StatusTreeExpression = {
    val actualValue = TimeSeriesExpression[Double]("concurrent-connections").last
    val threshold: OptionalExpression[Double] = getParameterDouble(highThresholdParameter)
    val limit = TimeSeriesExpression[Double]("concurrent-connections-limit").last

    StatusTreeExpression(
      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),

      // What constitutes an issue
        StatusTreeExpression(

          // The additional tags we care about (we'll be including this in alert data)
          SelectTagsExpression(context.tsDao, Set("vs.id","vs.name"), True),

            StatusTreeExpression(
              // The time-series we check the test condition against:
              SelectTimeSeriesExpression[Double](context.tsDao, Set("concurrent-connections", "concurrent-connections-limit"), denseOnly = false),

              // The condition which, if true, we have an issue. Checked against the time-series we've collected
              GreaterThanOrEqual(
                actualValue,
                TimesExpression(limit, DivExpression(threshold, ConstantExpression(Some(100.0)))))

              // The Alert Item to add for this specific item
            ).withSecondaryInfo(
                scopableStringFormatExpression("${scope(\"vs.name\")} (${scope(\"vs.id\")})"),
                scopableStringFormatExpression("Usage of %.0f (vs limit of %.0f) is above the threshold of %.0f%%.", actualValue, limit, threshold),
                title = "Affected VS's"
            ).asCondition()
        ).withoutInfo().asCondition()
    ).withRootInfo(
        getHeadline(),
        ConstantExpression("Some VS's have a high number of concurrent connections.\n\nThis issue was added per the request of <a target=\"_blank\" href=\"http://il.linkedin.com/in/motisagey\">Moti Sagey</a>."),
        ConditionalRemediationSteps("Review why this may be happening and consider moving some of the traffic between VS's or devices.",
          RemediationStepCondition.VENDOR_CP -> "Consider enabling aggressive aging if it is not yet enabled: https://sc1.checkpoint.com/documents/R76/CP_R76_IPS_AdminGuide/12857.htm#o12861",
          RemediationStepCondition.VENDOR_PANOS -> "Compare the products and the maximum sessions allowed: https://www.paloaltonetworks.com/products/product-selection"
      )
    )
  }
}

object ConcurrentConnectionsUsageVsxRule {

  /* --- Constants --- */

  private[library] val NAME = "concurrent_connection_limit_vsx"
}