topic Re: Monitoring if Aggressive Aging is enabled and active in Firewall and Security Management

Monitoring if Aggressive Aging is enabled and active

tjoll — Mon, 23 Sep 2024 13:49:17 GMT

Hi All,

I'm looking for the best way to monitor the Aggressive Aging feature on Check Point appliances with different setups. (Gateways, VSX, Maestro, VSX on Maestro) Unfortunately, there is no standard way to monitor if the feature is enabled and active. My suggestion would be the following:

- Use a custom SNMP oid so the monitoring can poll the oid. --> This is an issue on Maestro setups because you can only monitor the SMO.
- Use a custom script on the gateway appliances to check the 'active' string in the output of 'fw ctl pstat' and report back. --> I would like to avoid to run the script on the gateways because of possible performance issues caused by the script.
- Use a custon script on the mgmt server and read the output of 'fw log' and report back. --> Might be the best option.
- Maybe using Skyline to check if the feature is active. Although I'm not sure if this is reported back to Skyline.

I've also tried to monitor other variables related to aggressive aging like memory and connection limit, but without success. The memory is related to firewall memory which is different then the one that can be monitored (system memory). And I'm also missing an option to monitor the connection limit.

Does somebody have a different option or approach to monitor if the feature is enabled and active? Any suggestions are welcome.

Thanks.

Mitchel

Re: Monitoring if Aggressive Aging is enabled and active

Chris_Atkinson — Mon, 23 Sep 2024 14:39:50 GMT

There is a control log generated when it is active, perhaps the SIEM could look for this and alert accordingly?

Re: Monitoring if Aggressive Aging is enabled and active

G_W_Albrecht — Mon, 23 Sep 2024 14:56:28 GMT

Here: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_CLI_ReferenceGuide/Content/Topics-CLIG/FWG/fw-ctl-pstat.htm#

You see:

[Expert@MyGW:0]# fw ctl pstat
System Capacity Summary:
 Memory used: 3% (265 MB out of 7117 MB) - below watermark
 Concurrent Connections: Not Available
 Aggressive Aging is enabled, not active
...

Re: Monitoring if Aggressive Aging is enabled and active

Elad_Chomsky — Mon, 23 Sep 2024 15:30:38 GMT

Hi @tjoll ,

We are about to release a new feature, allowing custom scripts in Skyline during October, combined with Grafana it might be what you are looking for, contact me in private at eladch@checkpoint.com, and we can try to assist you to install it and do early testing.

Re: Monitoring if Aggressive Aging is enabled and active

Lesley — Mon, 23 Sep 2024 16:47:03 GMT

Posting here because I have worked together with Mitchel on this case.

This case is especially interesting due the Maestro setup. I have a feeling only Skyline is the proper tooling for this product line.

Re: Monitoring if Aggressive Aging is enabled and active

Lloyd_Braun — Mon, 23 Sep 2024 17:11:15 GMT

Did you already look into configuring "SNMP Trap" as the Track: setting in the Aggressive Aging protection, in "Inspection Settings" section? There is also potential in threshold_config and smartview monitor to configure SNMP traps based on concurrent connections, though I am seeing that labeled as "concurrent connection rate" so not sure if you could configure it to fire when connection table gets to a specific size.

Re: Monitoring if Aggressive Aging is enabled and active

tjoll — Tue, 24 Sep 2024 06:57:13 GMT

Yeah, that's a possibility. Although we cannot create a filter to only log the aggressive aging logs. Importing all other logs will heavily increase our license/costs. Unless you know a proper was to filter the logs. Maybe only threat prevention logs?

Re: Monitoring if Aggressive Aging is enabled and active

tjoll — Tue, 24 Sep 2024 07:00:02 GMT

Hi G_W_Alrbecht,

That was one of the options I described in the opening post. Maybe build our own script around it. But it can consume some extra performance on the gateway. So not sure if this is the best solution I've got.

Re: Monitoring if Aggressive Aging is enabled and active

tjoll — Tue, 24 Sep 2024 07:02:25 GMT

Yeah, although it is for a Maestro setup. I'm willing to make a script for different flavors of gateways.

Re: Monitoring if Aggressive Aging is enabled and active

tjoll — Tue, 24 Sep 2024 07:09:23 GMT

I was looking into that as well. Currently, our platform does not support traps. SNMP traps are not as reliable for proper monitoring. What if we miss the SNMP trap because the packet does not arrive on our monitoring system because of the performance issues on the gateway, we try to monitor? Then we're still partly blind because we did not receive the trap.

If we cannot actively poll the feature, then I will look into traps again.

Re: Monitoring if Aggressive Aging is enabled and active

Tomer_Noy — Wed, 25 Sep 2024 05:59:04 GMT

If you know how to identify a specific log that states whether aggressive aging is on, then you can write a script that will leverage the "show logs" API on the Management. This won't require exporting many logs to your SIEM.
https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-logs~v1.9.1%20

Another alternative, is to use the Compliance blade with a custom GAIA best practice that would run the suggested commands to check for aggressive aging configuration. This would be a simple script with a success/fail output that would be run on all your gateways by the Compliance mechanism, store the results and present them in reports along with other compliance/best practice information.
Here's a post from a while back that explain how to use it: https://community.checkpoint.com/t5/Management/Now-we-allow-You-to-define-your-own-Gaia-OS-Best-Practices/td-p/855

Re: Monitoring if Aggressive Aging is enabled and active

tjoll — Wed, 25 Sep 2024 10:14:05 GMT

Hi Elad,

Yesterday, I've tried to setup Skyline. Prometheus, Grafana and the dashboards are running. When pushing the JSON payload to the gateway, we see in a tcpdump the connection from the gateway to Skyline. Unfortunately, we see errors in Prometheus about the data being received in the wrong order. Sometimes with a HTTP 400 bad request. So currently, we're stuck even at the GA version 😂

Re: Monitoring if Aggressive Aging is enabled and active

Elad_Chomsky — Wed, 25 Sep 2024 10:27:22 GMT

Hi @tjoll ,

Please contact me in private in eladch@checkpoint.com, I will try to assist you.