Policy mismatch across cluster members-checkpoint-gaia,secureplatform

Policy mismatch across cluster members-checkpoint-gaia,secureplatform
0

Policy mismatch across cluster members-checkpoint-gaia,secureplatform

Vendor: checkpoint

OS: gaia,secureplatform

Description:
indeni will identify when two devices are part of a cluster and alert if the policy installed is different.

Remediation Steps:
Review the policy installed on each device in the cluster and ensure they are the same.
Normally the management server ensures the same policy was installed on all cluster members. It’s possible the checkbox for ensuring this was unchecked in the most recent policy installation. Please re-install the policy.

How does this work?
An MD5 hash is calculated along with the policy name.

Why is this important?
If all members of a cluster do not have the same security policy installed, unexpected issues can arise after a failover.

Without Indeni how would you find this?
An administrator could login and manually check which policy is installed, and when it was installed, comparing between all cluster members.

chkp-policy-fingerprint-novsx

#! META
name: chkp-policy-fingerprint-novsx
description: Retrieve policy name and unique identifier
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: checkpoint
    or:
        -
            os.name: gaia
        -
            os.name: secureplatform
    vsx:
        neq: true
    role-firewall: "true"

#! COMMENTS
policy-installed-fingerprint:
    why: |
        If all members of a cluster do not have the same security policy installed, unexpected issues can arise after a failover.
    how: |
        An MD5 hash is calculated along with the policy name.
    without-indeni: |
        An administrator could login and manually check which policy is installed, and when it was installed, comparing between all cluster members.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface.

#! REMOTE::SSH
${nice-path} -n 15 fw stat && ${nice-path} -n 15 md5sum $FWDIR/state/local/FW1/local.str

#! PARSER::AWK

# localhost InitialPolicy 12Feb2017 19:13:38 :  [>eth0] [<eth0]
/^localhost/ {
	policyName=$2
	fingerprint = policyName
}

# 16f7b38c2a9e2f96a6faf3000f2050ff  /opt/CPsuite-R77/fw1/state/local/FW1/local.str
#/[a-f0-9]{32}/ {
/local\.str/ {
	if (fingerprint == "-") {
		fingerprint = ""
	} else if ($1 ~ /[a-f0-9]{32}/) {
		fingerprint = fingerprint " " $1
	}

	writeComplexMetricString("policy-installed-fingerprint", null, fingerprint)
}

cross_vendor_compare_policy_fingerprint

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.ConditionalRemediationSteps
import com.indeni.server.common.data.conditions.{Equals => DataEquals, Not => DataNot}
import com.indeni.server.rules.library.templates.SnapshotComparisonTemplateRule


/**
  *
  */
case class cross_vendor_compare_policy_fingerprint() extends SnapshotComparisonTemplateRule(
  ruleName = "cross_vendor_compare_policy_fingerprint",
  ruleFriendlyName = "Clustered Devices: Policy mismatch across cluster members",
  ruleDescription = "indeni will identify when two devices are part of a cluster and alert if the policy installed is different.",
  metricName = "policy-installed-fingerprint",
  isArray = false,
  alertDescription = "The members of a cluster of devices must have the same policy installed.\n\nThis alert was added per the request of <a target=\"_blank\" href=\"http://il.linkedin.com/pub/itzik-assaraf/2/870/1b5\">Itzik Assaraf</a> (Leumi Card).",
  baseRemediationText = """Review the policy installed on each device in the cluster and ensure they are the same.""",
  metaCondition = !DataEquals("vsx", "true"))(
  ConditionalRemediationSteps.VENDOR_CP -> "Normally the management server ensures the same policy was installed on all cluster members. It's possible the checkbox for ensuring this was unchecked in the most recent policy installation. Please re-install the policy.")