topic Re: sk83520 how to check connectivity to CP in Firewall and Security Management

sk83520 how to check connectivity to CP

Kaspars_Zibarts — Mon, 12 Apr 2021 07:04:12 GMT

One of Dameon Welch Abernathy‌ favorite SKs mine too. I'm sure most have already written own check scripts, but if you have been too busy you may use this one. Output will look like this:

If needed you may chuck in --proxy <your proxy> option into curl_cli command. Just didn't want to make it too complex - this is just a quick fix to verify HTTP/S connectivity towards various CP servers in seconds.

FYI, I noticed that "push.checkpoint.com" returns 403 Forbidden, so I left it as "NOK" for now - script will only accept 200 OK, 301 Moved and 302 Found as valid response

As you will notice, you can add your own URLs to be checked at the bottom if you wish.

#!/bin/bash check_url () { result=" [ NOK ]" name="$2 " while [ ${#name} -lt 74 ]; do name="$name."; done echo -en "$name " if [ `curl_cli -Lisk $1 | head -1 | egrep -c "1.1 200|OK|Found|Moved"` -gt 0 ]; then result=" [ OK ]"; fi echo $result } echo echo "sk83520 How to verify that Security Gateway and/or Security Management Server can access Check Point servers" echo check_url 'http://cws.checkpoint.com/APPI/SystemStatus/type/short' 'Social Media Widget Detection' check_url 'http://cws.checkpoint.com/URLF/SystemStatus/type/short' 'URL Filtering Cloud Categorization' check_url 'http://cws.checkpoint.com/AntiVirus/SystemStatus/type/short' 'Virus Detection' check_url 'http://cws.checkpoint.com/Malware/SystemStatus/type/short' 'Bot Detection' check_url 'https://updates.checkpoint.com/' 'IPS Updates and Updatable Objects' check_url 'http://crl.globalsign.com' 'CRL Globalsign' check_url 'http://dl3.checkpoint.com' 'Download Service Updates ' check_url 'https://usercenter.checkpoint.com/usercenter/services/ProductCoverageService' 'Contract Entitlement ' check_url 'https://usercenter.checkpoint.com/usercenter/services/BladesManagerService' 'Software Blades Manager Service' check_url 'http://resolver1.chkp.ctmail.com' 'Suspicious Mail Outbreaks' check_url 'http://download.ctmail.com' 'Anti-Spam' check_url 'http://te.checkpoint.com/tecloud/Ping' 'Threat Emulation' check_url 'http://teadv.checkpoint.com' 'Threat Emulation Advanced' check_url 'https://threat-emulation.checkpoint.com/tecloud/Ping' 'Threat Emulation' check_url 'https://ptcs.checkpoint.com' 'PTC Updates' check_url 'http://kav8.zonealarm.com/version.txt' 'Deep inspection' check_url 'http://kav8.checkpoint.com' 'Traditional Anti-Virus' check_url 'http://avupdates.checkpoint.com/UrlList.txt' 'Traditional Anti-Virus, Legacy URL Filtering' check_url 'http://sigcheck.checkpoint.com/Siglist2.txt' 'Download of signature updates' check_url 'http://secureupdates.checkpoint.com' 'Manage Security Gateways' check_url 'https://productcoverage.checkpoint.com/ProductCoverageService' 'Makes sure the machines contracts are up-to-date' check_url 'https://sc1.checkpoint.com/sc/images/checkmark.gif' 'Download of icons and screenshots from Check Point media storage servers' check_url 'https://sc1.checkpoint.com/za/images/facetime/large_png/60342479_lrg.png' 'Download of icons and screenshots from Check Point media storage servers' check_url 'https://sc1.checkpoint.com/za/images/facetime/large_png/60096017_lrg.png' 'Download of icons and screenshots from Check Point media storage servers' check_url 'https://push.checkpoint.com/push/ping' 'Push Notifications ' check_url 'http://downloads.checkpoint.com' 'Download of Endpoint Compliance Updates' check_url 'http://productservices.checkpoint.com' 'Next Generation Licensing'

Re: sk83520 how to check connectivity to CP

PhoneBoy — Thu, 22 Feb 2018 23:28:03 GMT

There's a reason this is one of my favorite SKs: I believe I originated it

Re: sk83520 how to check connectivity to CP

XavierBens — Fri, 23 Feb 2018 13:31:50 GMT

Thanks https://community.checkpoint.com/people/kaspa0460ae43-b630-4a72-b063-0a8888fa3bb5‌

Re: sk83520 how to check connectivity to CP

Oren_Nudelman — Mon, 23 Apr 2018 08:46:31 GMT

Hi,

how do you know 200 OK is necessarily means the service is ok ?

I mean what if http is 200 but XML returns service error or something ?

also, using grep on 'Found' prints OK also for 404 Not Found so you need to change your if statement to something like this:

but i still found some FP using this script, see TE response for example which the script returns OK for it.

[Expert@Kings_Landing:0]# curl_cli -Lisk 'http://te.checkpoint.com'
HTTP/1.1 302 Found
Location: https://te.checkpoint.com/
Connection: close

HTTP/1.1 403 Forbidden
Date: Mon, 23 Apr 2018 08:37:07 GMT
Server: CPWS
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Set-Cookie: te_cookie=ANPHKIMA; Domain=te.checkpoint.com; Expires=Thu, 20-Apr-2028 08:51:56 GMT; Path=/

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Access forbidden!</title>
<link rev="made" href="mailto:systems@us.checkpoint.com" />
<style type="text/css"><![CDATA[/*></style>
</head>

<body>
<h1>Access forbidden!</h1>
<p>

You don't have permission to access the requested directory.
There is either no index document or the directory is read-protected.

</p>
<p>
If you think this is a server error, please contact
the <a href="mailto:systems@us.checkpoint.com">webmaster</a>.

</p>

<h2>Error 403</h2>
<address>
<a href="https://community.checkpoint.com/">te.checkpoint.com</a><br />

<span>Mon Apr 23 10:37:07 2018<br />
Apache</span>
</address>
</body>
</html>

Re: sk83520 how to check connectivity to CP

PhoneBoy — Mon, 23 Apr 2018 14:01:53 GMT

I think if you get ANY response from it, you have connectivity (which is the main point of the SK).

If the services themselves aren't working, that's a different issue

Re: sk83520 how to check connectivity to CP

Oren_Nudelman — Mon, 23 Apr 2018 14:52:11 GMT

IMO, the OK here is abused since you get OK for both 403 and 404 so it's not so reliable.

if the tool is checking http level it should print http status code and reason instead of ok.

but that's just me... 🙂

Re: sk83520 how to check connectivity to CP

PhoneBoy — Mon, 23 Apr 2018 15:20:06 GMT

A more consistent status code would be an improvement, I agree.

Re: sk83520 how to check connectivity to CP

Oren_Nudelman — Mon, 23 Apr 2018 16:28:15 GMT

try this code, i added check to last HTTP response and if it's not 200 it print error with status code

#!/bin/bash
check_url () {
result=" [ ERROR ]"
name="$2 "
while [ ${#name} -lt 74 ]; do name="$name."; done
echo -en "$name "
response=$(curl_cli -LiskI $1 | grep "HTTP/1.1" | awk 'END { print }')
status=$(echo "${response}" | awk 'END { print $2 " " $3 " " $4}')
status_code=$(echo ${response} | awk '{ print $2 }')
if [ "${status_code}" != "200" ]; then
echo "${result} - Got HTTP ${status_code}"
else result=" [ OK ]"
echo "${result}"
fi
}

echo
echo "sk83520 How to verify that Security Gateway and/or Security Management Server can access Check Point servers"
echo

check_url 'http://cws.checkpoint.com/APPI/SystemStatus/type/short' 'Social Media Widget Detection'
check_url 'http://cws.checkpoint.com/URLF/SystemStatus/type/short' 'URL Filtering Cloud Categorization'
check_url 'http://cws.checkpoint.com/AntiVirus/SystemStatus/type/short' 'Virus Detection'
check_url 'http://cws.checkpoint.com/Malware/SystemStatus/type/short' 'Bot Detection'
check_url 'https://updates.checkpoint.com/' 'IPS Updates'
check_url 'http://dl3.checkpoint.com' 'Download Service Updates '
check_url 'https://usercenter.checkpoint.com/usercenter/services/ProductCoverageService' 'Contract Entitlement '
check_url 'https://usercenter.checkpoint.com/usercenter/services/BladesManagerService' 'Software Blades Manager Service'
check_url 'http://resolver1.chkp.ctmail.com' 'Suspicious Mail Outbreaks'
check_url 'http://download.ctmail.com' 'Anti-Spam'
check_url 'http://te.checkpoint.com' 'Threat Emulation'
check_url 'http://teadv.checkpoint.com' 'Threat Emulation Advanced'
check_url 'http://kav8.zonealarm.com/version.txt' 'Deep inspection'
check_url 'http://kav8.checkpoint.com' 'Traditional Anti-Virus'
check_url 'http://avupdates.checkpoint.com/UrlList.txt' 'Traditional Anti-Virus, Legacy URL Filtering'
check_url 'http://sigcheck.checkpoint.com/Siglist2.txt' 'Download of signature updates'
check_url 'http://secureupdates.checkpoint.com' 'Manage Security Gateways'
check_url 'https://productcoverage.checkpoint.com/ProductCoverageService' 'Makes sure the machines contracts are up-to-date'
check_url 'https://sc1.checkpoint.com/sc/images/checkmark.gif' 'Download of icons and screenshots from Check Point media storage s ervers'
check_url 'https://sc1.checkpoint.com/za/images/facetime/large_png/60342479_lrg.png' 'Download of icons and screenshots from Check Point media storage servers'
check_url 'https://sc1.checkpoint.com/za/images/facetime/large_png/60096017_lrg.png' 'Download of icons and screenshots from Check Point media storage servers'
check_url 'https://push.checkpoint.com' 'Push Notifications '
check_url 'http://downloads.checkpoint.com' 'Download of Endpoint Compliance Updates'

Re: sk83520 how to check connectivity to CP

Srdjan_B — Fri, 27 Sep 2019 10:06:28 GMT

Hi,

when using the script I get some NOK (IPS, Contract Entitlement...) unless I put in --cacert $CPDIR/conf/ca-bundle.crt as argument of curl_cli command (more in sk110779).

Re: sk83520 how to check connectivity to CP

Luis_Miguel_Mig — Tue, 08 Dec 2020 11:50:17 GMT

I have just noticed that the proxy configured in the GAIA is not in expert mode environment variables. Should it be?

Re: sk83520 how to check connectivity to CP

Billy — Wed, 08 Sep 2021 08:21:05 GMT

Hi,

I have updated the script and add the missing checks on github

https://github.com/billygr/CheckPoint/blob/master/sk83520.sh

Pending proxy support and view 404 errors because i don't have the exact URL to check

You can easy run it on the gw/mgmt without copy paste etc etc

Have fun