SecureXL configuration mismatch across cluster members-checkpoint-False

error
high-availability
false
checkpoint
SecureXL configuration mismatch across cluster members-checkpoint-False
0

#1

SecureXL configuration mismatch across cluster members-checkpoint-False

Vendor: checkpoint

OS: False

Description:
indeni will identify when two devices are part of a cluster and alert if the SecureXL settings are different for different VS’s.

Remediation Steps:
Compare the output of “fwaccel stat” across members of the cluster, make sure to run the command in the correct vsenv context.

How does this work?
By using the Check Point built-in “fwaccel stat” command, the current status of SecureXL is retrieved and, given that there are more than one member in the cluster, compared between the cluster members.

Why is this important?
SecureXL is used to accelerate traffic. If it is disabled it could result in a reduction in the amount of throughput the device can handle. If used in a clustered environment, the user must ensure all members of the cluster have the same setting.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-fw-accel-stat-novsx

#! META
name: chkp-fw-accel-stat-novsx
description: Get securexl status information
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: checkpoint
    role-firewall: "true"
    vsx:
        neq: "true"

#! COMMENTS
securexl-status:
    why: |
        SecureXL is used to accelerate traffic. If it is disabled it could result in a reduction in the amount of throughput the device can handle. If used in a clustered environment, the user must ensure all members of the cluster have the same setting.
    how: |
        By using the Check Point built-in "fwaccel stat" command, the current status of SecureXL is retrieved and, given that there are more than one member in the cluster, compared between the cluster members.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        Listing SecureXL status is only available from the command line interface.

securexl-disabled-from-rule:
    why: |
        SecureXL is used to accelerate traffic. If it is disabled it could result in a reduction in the amount of throughput the device can handle. Certain rules cause SecureXL to be disabled from that rule and downwards. If such a rule is placed in the very beginning of the rulebase, it would essentially disable SecureXL completely.
    how: |
        By using the Check Point built-in "fwaccel stat" command, the current status of SecureXL is retrieved.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        Listing SecureXL status is only available from the command line interface.

#! REMOTE::SSH
${nice-path} -n 15 fwaccel stat

#! PARSER::AWK

BEGIN{
    FS = "|"
    status = ""
    rule = ""
}



#versions prior to R80.20
#Accelerator Status : on
#Accelerator Status : off
#Accelerator Status : no license for SecureXL
#Accelerator Status : off by Firewall (too many general errors (NUMBER) (caller: Name_of_Function))
#Accelerator Status : waiting for policy load
#Accelerator Status : disabled by Firewall

/^Accelerator Status/ {
    status = substr($0, length("Accelerator Status : "))

}

#versions after R80.20
#|0 |SND  |enabled    |eth0,eth1,eth2           |Acceleration,Cryptography     |
/SND/{
    status = $4
}


#versions prior to R80.20
#disabled from rule #184

#versions after R80.20
#Layer VS1_Policy Network disables template offloads from rule #1

/^disabled from rule|disables template offloads/ {
    arr_len = split($0, split_arr, " ")
    rule = split_arr[arr_len]
    sub("#", "", rule)
}



END{

    if ( status ~  /license/ ) {
        status = "no-license"
    }
    else if ( status ~  /off/ && status ~ /Firewall/) {
        status = "off-by-firewall"
    }
    else if (status ~  /waiting/ && status ~ /policy/) {
        status = "on"
    }
    else if (status ~ /disabled/ && status ~ /Firewall/ ) {
        status = "on"
    }

    writeComplexMetricStringWithLiveConfig("securexl-status", null, status, "SecureXL - State")
    if ( rule != "" ) {
        writeComplexMetricStringWithLiveConfig("securexl-disabled-from-rule", null, rule, "SecureXL - Templating Disabled From Rule Number")
    }
}


checkpoint_compare_securexl_setting_vsx

package com.indeni.server.rules.library.templatebased.checkpoint

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SnapshotComparisonTemplateRule
/**
  *
  */
case class checkpoint_compare_securexl_setting_vsx() extends SnapshotComparisonTemplateRule(
  ruleName = "checkpoint_compare_securexl_setting_vsx",
  ruleFriendlyName = "Check Point Cluster (VSX): SecureXL configuration mismatch across cluster members",
  ruleDescription = "indeni will identify when two devices are part of a cluster and alert if the SecureXL settings are different for different VS's.",
  metricName = "securexl-status",
  applicableMetricTag = "vs.name",
  isArray = false,
  alertDescription = "The members of a cluster of Check Point firewalls must have the same SecureXL settings.\n\nThis alert was added per the request of <a target=\"_blank\" href=\"http://il.linkedin.com/pub/gal-vitenberg/83/484/103\">Gal Vitenberg</a>.",
  baseRemediationText = """Compare the output of "fwaccel stat" across members of the cluster, make sure to run the command in the correct vsenv context.""")()