topic Re: HCP-X...The Leading Edge in Firewall and Security Management

HCP-X...The Leading Edge

Timothy_Hall — Mon, 28 Apr 2025 12:07:24 GMT

So interestingly there appears to be some extra not-yet-published leading edge tests that can be added on to the standard hcp command with the --tac option once hcp has been updated to the latest version:

sk183223: HealthCheck Point Addon

I always found it interesting to informally track what new tests are added to hcp with each new update as these tend to be driven by what current cases TAC is seeing, and in some cases has tipped me off to an issue even before an SK article was created or a Checkmates post appeared. So let's take a look at these leading-edge TAC tests that aren't run by default!

EDIT: There is no need to download a new copy of hcp with curl_cli as shown in this screenshot, please see my follow-up post below.

Some definitely juicy ones here:

Missing routes from kernel which I actually mentioned in my Be Your Own TAC Part Deux presentation due to an unreachable next-hop address
IKEv2 Narrowing Issue Detection which was a major VPN interoperability issue at one point
Dynamic Balancing and GNAT Validation which I assume is checking for a situation where Dynamic Balancing/Split is disabled to to GNAT being off (which happens on gateways with less than 8 cores even if they support Dynamic Split)
dynamic_split --z occurrences not completely sure here, perhaps if split flapping was detected and an anti-flap penalty was enforced?
ARP Drops assume this is due to invalid next hops (sk182582)
RAD Tests Oh yes definitely...

The cool part is if you aren't sure exactly what a certain hcp test means (even if it is a TAC test), you can always go look at the python source code for the test itself and see precisely what it is looking for here: /etc/hcp/tests/*/*.py

Re: HCP-X...The Leading Edge

PhoneBoy — Mon, 21 Apr 2025 17:17:05 GMT

I quite like how much data HCP can collect.

Re: HCP-X...The Leading Edge

the_rock — Mon, 21 Apr 2025 18:36:04 GMT

I cant seem to find that sk, either by opening the link or searching for it.

Andy

Re: HCP-X...The Leading Edge

Timothy_Hall — Mon, 21 Apr 2025 18:47:21 GMT

Odd, it was there Saturday but now I can't see it either. There wasn't much in that SK other than the command I used in the screenshot to update hcp, and a mention of the --tac option.

Re: HCP-X...The Leading Edge

the_rock — Mon, 21 Apr 2025 18:49:21 GMT

No worries! Yes, I ran the command you gave in your screenshot in one of my R82 lab fws and worked great.

Andy

Re: HCP-X...The Leading Edge

Timothy_Hall — Sun, 27 Apr 2025 18:25:25 GMT

So after some more investigation performed while updating my Gateway Performance Optimization Course, it looks like takes 76 and higher of hcp have the TAC tests capability built-in, and there is no need to download a different version of hcp as shown in my original posting's screenshot. Here is the new page from my course for future reference:

Re: HCP-X...The Leading Edge

the_rock — Sun, 27 Apr 2025 19:26:12 GMT

Thanks for that Tim!

Re: HCP-X...The Leading Edge

Duane_Toler — Tue, 29 Apr 2025 16:04:21 GMT

Oh wow! This is nice! An extra 100 oddball tests available!

hcp -l --tac |awk -F "|" ' $3 ~ /TAC/ { print $0 }' |wc -l 100

Nice find! 🙂

Re: HCP-X...The Leading Edge

the_rock — Tue, 29 Apr 2025 17:23:25 GMT

good find!

Re: HCP-X...The Leading Edge

Timothy_Hall — Tue, 29 Apr 2025 18:06:06 GMT

Yep just remember these TAC tests are not supported (don't bug TAC if you see a failure of one of these) and can change at any time!

Re: HCP-X...The Leading Edge

the_rock — Tue, 29 Apr 2025 18:13:30 GMT

I ran it on few fws and no issues.

Andy

Re: HCP-X...The Leading Edge

kingCommaAndrew — Tue, 23 Sep 2025 14:38:25 GMT

Note that the SK is currently internal and may be made available to a wider audience in the future. No ETA currently.

Re: HCP-X...The Leading Edge

Timothy_Hall — Tue, 23 Sep 2025 14:42:26 GMT

Yes, but it was briefly exposed. These types of posts are the result of my weekly review of all SKs, which helps keep my Gateway Performance Optimization Course fully up to date. 🙂