topic Re: R82 cluster monitoring with Insights in Firewall and Security Management

R82 cluster monitoring with Insights

marcyn — Mon, 22 Jul 2024 14:47:26 GMT

Hi Checkmates,

I have created my own lab with 2x 23500 with R82 EA configured as ElasticXL cluster.
Everything looks fine except one minor thing... I don't see any traffic in Insights -> Tools -> ConnView:

It doesn't matter if I use filter on the left to see particular traffic or not ... after I hit Search button - I see nothing.

Of course there is a traffic from host in "net1" (internal) to host in "net2" (external) - it goes via Check Point R82 (NAT+routing_firewall). I can see this traffic via tcpdump/cppcap/fw monitor ... in logs, etc.

On the other hand - the same looks perfect in TechPoint's Quantum R82 ElasticXL (EA Review):

Is there any requirement for this tool to be able to display connections ?
For example some process/daemon/etc. must be configured first ?

BTW
R82 looks amazing, especially ElasticXL in my opinion will be game changer !

--
Best
Marcin

Re: R82 cluster monitoring with Insights

ShaiF — Mon, 22 Jul 2024 14:10:14 GMT

Hi Marcin,

You are correct and you should see the connection table with or without filter.

Unless your query exceeded max entries of 1000 on one of your cluster member. but in that case you should have seen pop up alert on insight mentioning this and tell you to narrow down your search by adding more filters.

I will install EA version and see if reproduce.

Will keep you updated.

Regards,

Shai

Re: R82 cluster monitoring with Insights

marcyn — Mon, 22 Jul 2024 14:17:58 GMT

Hi @ShaiF

Great, looking forward your test results.

Just to clarify - my lab is absolutely basic one ... I've just addressed two interfaces, added this cluster to SMS, changed CleanUp Rule to become PassAll, started the traffic flow ... and generally that's it.
Insights works great - I see a lt of statistics (first pane), alerts, etc ... only the last pane "doesn't like me" 🙂

Hopefully we will find why.

--
Best
Marcin

Re: R82 cluster monitoring with Insights

the_rock — Mon, 22 Jul 2024 14:22:30 GMT

Hey Marcin,

Is this cpview or something else? I have exl lab, so can check as well.

Andy

Re: R82 cluster monitoring with Insights

marcyn — Mon, 22 Jul 2024 14:34:38 GMT

Hi @the_rock,

This is new tool introduced in R82 for cluster monitoring (for ElasticXL and Maestro).

You can run it by executing command "insights" from gateway.

Re: R82 cluster monitoring with Insights

the_rock — Mon, 22 Jul 2024 14:55:31 GMT

I used eve-ng for this, gives below...will see if that setting is in terminal settings, cant seem to find it lol

Andy

[Expert@CP-EXL-1-s01-01:0]# insights

Insights is supported only on terminals with settings of at least 190 columns and 25 rows.
Current terminal size is (columns = 72, rows = 19)
To watch information regarding your cluster use one of the following commands:
- From gClish:
> show cluster info ...
- From expert:
# cinfo --help

For best view of insights adjust your preferred terminal application with the following settings:
- Terminal type: xterm
- Font: consolas
- Encoding: UTF-8

[Expert@CP-EXL-1-s01-01:0]#

Re: R82 cluster monitoring with Insights

marcyn — Mon, 22 Jul 2024 14:44:00 GMT

just enlarge your terminal window to fulfill this requirement:

Insights is supported only on terminals with settings of at least 190 columns and 25 rows.

As you can see yours is like this:

Current terminal size is (columns = 72, rows = 19)

And then magic will happen 🙂

Re: R82 cluster monitoring with Insights

the_rock — Mon, 22 Jul 2024 15:09:05 GMT

Never mind, I googled it quick, ran this command and now I see the menu. let me check it later on.

Andy

[Expert@CP-EXL-1-s01-01:0]# stty cols 200 rows 150

Re: R82 cluster monitoring with Insights

ShaiF — Tue, 23 Jul 2024 08:14:01 GMT

After investigating the issue. We found out it is due to the fact connview tool (which insights ConnView tab is using) is not working with Kernel FW mode.
Solution is to change USFW.

Re: R82 cluster monitoring with Insights

marcyn — Tue, 23 Jul 2024 08:28:04 GMT

Yes,

Thank you @ShaiF for this quick remote session.

And I can confirm what Shai just wrote.
We found out this:

[Expert@R82-01-s01-01:0]# connview
[Error] ConnView is not supported on a Security Gateway that runs the Firewall in the Kernel mode (KSFW). For more information, see sk167052.

And everything is clear now ... It is really "funny" because USFW as we know is enabled by default, but not for 23500 appliance ... which I have in my lab 🙂
/it looks like only this one particular model does not have it enabled by default ... lucky me 😉 /

After I switched to USFW I can see connections in insights.
So in case anybody else will have such "issue" it's just Firewall Mode.

Thank you Shai, it was resolved really fast 🙂

--
Best
m.

Re: R82 cluster monitoring with Insights

_Val_ — Tue, 23 Jul 2024 10:31:08 GMT

EDITED: My original statement was incorrect, now removed.

@ShaiF knows better 🙂

Re: R82 cluster monitoring with Insights

ShaiF — Tue, 23 Jul 2024 09:53:36 GMT

Hi Val,

In EA take FW mode depends on models and platform (EXL run USFW by default as well on some models and VM). In GA take all appliances and platforms (Single Gateway, ClusterXL, Maestro, EXL..) will have USFW by default.

Regards,

Shai.

Re: R82 cluster monitoring with Insights

the_rock — Tue, 23 Jul 2024 11:21:00 GMT

Will check this in the lab later 🙂

Andy

Re: R82 cluster monitoring with Insights

the_rock — Tue, 23 Jul 2024 12:00:52 GMT

Hey @ShaiF @marcyn

Just for context, I tested it in elasticxl in eve-ng and shows user kernel mode is enabled.

Andy

elasticxl:

[Expert@CP-EXL-1-s01-01:0]# cpprod_util FwIsUsermode
1
[Expert@CP-EXL-1-s01-01:0]#

regular R82:

[Expert@R82-TEST-FW:0]# cpprod_util FwIsUsermode
1
[Expert@R82-TEST-FW:0]#