Routes defined in clish/webUI are missing-checkpoint-gaia

Routes defined in clish/webUI are missing-checkpoint-gaia
0

Routes defined in clish/webUI are missing-checkpoint-gaia

Vendor: checkpoint

OS: gaia

Description:
Sometimes the routes that are defined in the Check Point Web UI or through clish may not be fully applied to the operating system layer. If this happens, Indeni will alert.

Remediation Steps:
A workaround to get it to work can be to restart the routeD daemon by running “cpstop;cpstart” or restarting the device. However since this should not happen a case can also be opened with your technical support provider. In the case of devices in a cluster it is possible that the issue happens only for one of the nodes and a failover to the other node could lessen the impact of the issue.

How does this work?
Retrieve Linux kernel routes using the Linux “netstat” command, and then the Check Point configured routes from Gaia’s /config/active file. Then compare two route sets to make sure they are the same.

Why is this important?
If a static route is configured via Clish or WebUI, sometimes the system does not write the route into the Linux kernel routing table. To make sure all routes have been written, we compare the actual kernel routes with those configured in Check Point.

Without Indeni how would you find this?
An administrator could login and manually list routes from both commands, and then compare it. However, often there are a many routes configured; combine this with the difference in output format (for example subnet), and it can be a very cumbersome task.

chkp-gaia-routes-vsx

name: chkp-gaia-routes-vsx
description: Report configured static and direct routes, and compare configured static
    routes with Linux routes.
type: monitoring
monitoring_interval: 10 minutes
requires:
    vendor: checkpoint
    os.name: gaia
    vsx: 'true'
    role-firewall: 'true'
    asg:
        neq: 'true'
comments:
    static-routing-table:
        why: |
            It is important that the routing is configured the same for all cluster members of the same cluster. Otherwise there can be downtime in the event of a failover.
        how: |
            By parsing the gaia configuration database, /config/active, the static routes are retrieved. It can also be retrieved via Clish, but that creates a lot of log entries in /var/log/messages.
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: true
        can-with-syslog: false
        vendor-provided-management: |
            Listing static routes is only available from the command line interface or via SNMP. In VSX it is also visible in SmartDashboard.
    connected-networks-table:
        why: |
            It is important that the connected interfaces is configured the same, for all cluster members of the same cluster. Otherwise there can be downtime in the event of a failure.
        how: |
            By parsing the gaia configuration database, /config/active, the routes for directly connected interfaces are retrieved. It can also be retrieved via Clish, but that creates a lot of log entries in /var/log/messages.
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: true
        can-with-syslog: false
        vendor-provided-management: |
            Listing routes for directly connected interfaces is only available from the command line interface, or SNMP.
    routes-missing-kernel:
        why: |
            If a static route is configured via Clish or WebUI, sometimes the system does not write the route into the Linux kernel routing table. To make sure all routes have been written, we compare the actual kernel routes with those configured in Check Point.
        how: |
            Retrieve Linux kernel routes using the Linux "netstat" command, and then the Check Point configured routes from Gaia's /config/active file. Then compare two route sets to make sure they are the same.
        without-indeni: |
            An administrator could login and manually list routes from both commands, and then compare it. However, often there are a many routes configured; combine this with the difference in output format (for example subnet), and it can be a very cumbersome task.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: Listing routes from kernel is only available from
            the command line interface. Listing configured routes is also available
            from the WebUI.
steps:
-   run:
        type: SSH
        file: gaia-routes-vsx.remote.1.bash
    parse:
        type: AWK
        file: gaia-routes-vsx.parser.1.awk

chkp_firewall_routes_missing_vsx

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.checkpoint

import com.indeni.ruleengine.expressions.conditions.{Equals, Not}
import com.indeni.ruleengine.expressions.data.SnapshotExpression
import com.indeni.server.rules.{RuleCategory, RuleContext}
import com.indeni.server.common.data.conditions.{Equals => DataEquals}
import com.indeni.server.rules.library.RuleHelper
import com.indeni.server.rules.library.templates.MultiSnapshotValueCheckTemplateRule

case class chkp_firewall_routes_missing_vsx() extends MultiSnapshotValueCheckTemplateRule(
  ruleName = "chkp_firewall_routes_missing_vsx",
  ruleFriendlyName = "Check Point Firewalls (VSX): Routes defined in clish/webUI are missing",
  ruleDescription = "Sometimes the routes that are defined in the Check Point Web UI or through clish may not be fully applied to the operating system layer. If this happens, Indeni will alert.",
  metricName = "routes-missing-kernel",
  applicableMetricTag = "vs.name",
  alertItemsHeader = "Routes missing",
  alertDescription = "The configured routes have not been correctly applied to the Gaia OS. This means that some of the routes configured do not currently work.",
  baseRemediationText = "A workaround to get it to work can be to restart the routeD daemon by running \"cpstop;cpstart\" or restarting the device. However since this should not happen a case can also be opened with your technical support provider. In the case of devices in a cluster it is possible that the issue happens only for one of the nodes and a failover to the other node could lessen the impact of the issue.",
  complexCondition = Not(Equals(RuleHelper.createEmptyComplexArrayConstantExpression(), SnapshotExpression("routes-missing-kernel").asMulti().mostRecent().value().noneable)),
  ruleCategories = Set(RuleCategory.OrganizationStandards)
)()