Static routing table does not match across cluster members-checkpoint-gaia
Vendor: checkpoint
OS: gaia
Description:
Indeni will identify when two devices are part of a cluster and alert if their static routing tables are different.
Remediation Steps:
Ensure the static routing table matches across devices in a cluster.
Use the “show configuration” command in clish to compare the calls to "set static-route\
How does this work?
By parsing the gaia configuration database, /config/active, the static routes are retrieved. It can also be retrieved via Clish, but that creates a lot of log entries in /var/log/messages.
Why is this important?
It is important that the routing is configured the same for all cluster members of the same cluster. Otherwise there can be downtime in the event of a failover.
Without Indeni how would you find this?
An administrator could login and manually run the command.
chkp-gaia-routes-vsx
name: chkp-gaia-routes-vsx
description: Report configured static and direct routes, and compare configured static
routes with Linux routes.
type: monitoring
monitoring_interval: 10 minutes
requires:
vendor: checkpoint
os.name: gaia
vsx: 'true'
role-firewall: 'true'
asg:
neq: 'true'
comments:
static-routing-table:
why: |
It is important that the routing is configured the same for all cluster members of the same cluster. Otherwise there can be downtime in the event of a failover.
how: |
By parsing the gaia configuration database, /config/active, the static routes are retrieved. It can also be retrieved via Clish, but that creates a lot of log entries in /var/log/messages.
can-with-snmp: true
can-with-syslog: false
connected-networks-table:
why: |
It is important that the connected interfaces is configured the same, for all cluster members of the same cluster. Otherwise there can be downtime in the event of a failure.
how: |
By parsing the gaia configuration database, /config/active, the routes for directly connected interfaces are retrieved. It can also be retrieved via Clish, but that creates a lot of log entries in /var/log/messages.
can-with-snmp: true
can-with-syslog: false
routes-missing-kernel:
why: |
If a static route is configured via Clish or WebUI, sometimes the system does not write the route into the Linux kernel routing table. To make sure all routes have been written, we compare the actual kernel routes with those configured in Check Point.
how: |
Retrieve Linux kernel routes using the Linux "netstat" command, and then the Check Point configured routes from Gaia's /config/active file. Then compare two route sets to make sure they are the same.
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: SSH
file: gaia-routes-vsx.remote.1.bash
parse:
type: AWK
file: gaia-routes-vsx.parser.1.awk
static_routing_table_comparison_non_vsx
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/crossvendor/static_routing_table_comparison_non_vsx.scala