Signature update status-checkpoint-gaia,secureplatform,gaia-embedded

error
checkpoint
gaiasecureplatformga
Signature update status-checkpoint-gaia,secureplatform,gaia-embedded
0

#1

Signature update status-checkpoint-gaia,secureplatform,gaia-embedded

Vendor: checkpoint

OS: gaia,secureplatform,gaia-embedded

Description:
Indeni has detected that one or more signature databases for software blades are out of date.

Remediation Steps:
Contact support to get help in troubleshooting this issue. " +
“There are also troubleshooting guides that can help to determine why the updates has failed.\n” +
“Anti-bot and Anti-virus: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98665\n” +
“URL Filter: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk35196”)()

case class check_point_signature_update_status_vsx(context: RuleContext) extends StateDownTemplateRule(context,
ruleName = “check_point_signature_update_status_vsx”,
ruleFriendlyName = “Check Point Firewalls: Signature update status”,
ruleDescription = "Indeni has detected that one or more signature databases for software blades are out of date. " +
"This will happen either if the gateway reports a failure to update, or if the signature version are more than 14 days old. This means that protection against new threats is affected. “,
metricName = “signature-update-status”,
applicableMetricTag = “blade”,
descriptionMetricTag = “vs.name”,
historyLength = 3,
alertIfDown = true,
alertItemsHeader = “Affected blades”,
alertDescription = “Software blade signatures are out of data.\n\n” +
“This alert was added per the request of <a target=”_blank” href=“https://se.linkedin.com/in/johnathanbrowall”>Johnathan Browall Nordstrom.

How does this work?
The current update status for IPS, Anti-Bot, Anti-Virus, URL Filtering and Application control is retrieved.

Why is this important?
Several blades rely on signature updates to provide protection against the latest threats. If these updates are not working as expected, the gateway could miss new emerging threats.

Without Indeni how would you find this?
An administrator could login and manually check this from the command line interface or from the Smart Dashboard.

chkp-subscription-signatures-updates-novsx

#! META
name: chkp-subscription-signatures-updates-novsx
description: Checks the status for blades that downloads signatures
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: "checkpoint"
    or:
        -
            os.name: "gaia"
        -
            os.name: "secureplatform"
        -
            os.name: "gaia-embedded"
    role-firewall: "true"
    vsx:
        neq: "true"

#! COMMENTS
signature-update-status:
    why: |
        Several blades rely on signature updates to provide protection against the latest threats. If these updates are not working as expected, the gateway could miss new emerging threats.
    how: |
        The current update status for IPS, Anti-Bot, Anti-Virus, URL Filtering and Application control is retrieved.
    without-indeni: |
        An administrator could login and manually check this from the command line interface or from the Smart Dashboard.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        This is only accessible from the command line interface or Smart Dashboard.


#! REMOTE::SSH
echo -n "blades: " && ${nice-path} -n 15 enabled_blades && echo -n "blades: " && ${nice-path} -n 15 enabled_blades.sh && ${nice-path} -n 15 date +"date: %Y-%m-%d %H:%M:%S" && echo "blade: AntiMalware" && ${nice-path} -n 15 cpstat -f update_status antimalware && echo "blade: Application-Control" && ${nice-path} -n 15 cpstat -f update_status appi && echo "blade: Url-Filtering" && ${nice-path} -n 15 cpstat -f update_status urlf && echo "blade: Anti-Spam" && ${nice-path} -n 15 avsu_client -app "KSS AV" get_version

#! PARSER::AWK

# Notes for Above SSH Command:
# 1) IPS signatures are downloaded on the management, and not checked in this script.
# 2) Runs "enabled_blades" command twice, since command can differ between versions.


# IMPORTANT NOTE: This file and subscription-signatures-updates-vsx.ind share duplicate code. If you make changes
# in this file, please check the other file to see if the same changes apply there.

BEGIN {
    blade_info_found = 0
}

#date: 2017-08-10 02:55:59
/^date: / {
    split($2, date_arr, "-")
    year = date_arr[1]
    month = date_arr[2]
    day = date_arr[3]

    split($3, clock_arr, ":")
    hour = clock_arr[1]
    minute = clock_arr[2]
    second = clock_arr[3]

    current_since_epoch = datetime(year, month, day, hour, minute, second)

    next
}

# Create an array with the currently enabled blades, to make sure to alert only for blades that are enabled.
#fw vpn urlf appi av ips identityServer anti_bot
/^blades: / {
    if (blade_info_found == 0 && $1 != "nice:") {
        features_arr_length = split($0, features_arr, " ")
        if (features_arr_length > 0)
            blade_info_found = 1

        for (id in features_arr) {
            # Translate name
            if (features_arr[id] == "urlf") {
                enabled_blades["Url-Filtering"] = ""

            } else if (features_arr[id] == "appi") {
                enabled_blades["Application-Control"] = ""

            } else if (features_arr[id] == "av") {
                enabled_blades["Anti-Virus"] = ""

            } else if (features_arr[id] == "ips") {
                enabled_blades["IPS"] = ""

            } else if (features_arr[id] == "anti_bot") {
                enabled_blades["Anti-Bot"] = ""

            } else if (features_arr[id] == "aspm") {
                enabled_blades["Anti-Spam"] = ""
            }
        }
    }

    next
}

#blade: AntiMalware
/^blade: / {
    current_blade = $2

    next
}

#AB Update status:           up-to-date
#Update status:           up-to-date
#Update status:           new
#Update status:           failed
#AV Update status:           failed
#AB Update status:
/Update status:/ {
    # Both Anti-Bot and Anti-Virus are bundled in "AntiMalware", so we need to create more specific names for the
    # current_blade here.
    if ($1 == "AB") {
        current_blade = "Anti-Bot"
    } else if ($1 == "AV") {
        current_blade = "Anti-Virus"
    }

    if ($NF == "up-to-date" || $NF == "new") {
        blade_status_arr[current_blade] = 1
    } else {
        blade_status_arr[current_blade] = 0
    }

    next
}

#DB version:              17081003
#AV DB version:              1708100834
/DB version: / {
    # Both Anti-Bot and Anti-Virus are bundled in "AntiMalware", so we need to create more specific names for the
    # current_blade here.
    if ($1 == "AB") {
        current_blade = "Anti-Bot"
    } else if ($1 == "AV") {
        current_blade = "Anti-Virus"
    }

    # Make sure that there is a date to process, otherwise set epoch time to 0
    if ($NF ~ /[0-9]/) {
        yymmdd = $NF
        year = substr(yymmdd, 1, 2)
        year = "20" year
        month = substr(yymmdd, 3, 2)
        day = substr(yymmdd, 5, 2)

        update_time_arr[current_blade] = date(year, month, day)
    } else {
        update_time_arr[current_blade] = 0
    }

    next
}


#Result: sig version=1010101, sig date=1247058927 (Wed Jul  8 06:15:27 2009
/Result: sig version/ {
    if ($NF ~ /[0-9]/) {
        year = $NF
        month = $(NF-3)
        month = parseMonthThreeLetter(month)
        day = $(NF-2)

        update_time_arr[current_blade] = date(year, month, day)
    } else {
        update_time_arr[current_blade] = 0
    }

    # Setting status to 1, if the update time is more than 2 weeks old, it will be set to 0 in the END section
    blade_status_arr[current_blade] = 1

    next
}

END {
    for (current_blade in blade_status_arr) {
        if (current_blade in enabled_blades) {
            # if the latest update was more than 14 days from now, consider the update not working.
            if ( (current_since_epoch - update_time_arr[current_blade]) > 1209600 ) {
                blade_status_arr[current_blade] = 0
            }
            tags["blade"] = current_blade
            writeDoubleMetric("signature-update-status", tags, "gauge", 0, blade_status_arr[current_blade])
        }
    }
}

check_point_signature_update_status_nonvsx

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/checkpoint/check_point_signature_update_status.scala