topic Re: IPS Update Monitoring in API / CLI Discussion

IPS Update Monitoring

Nüüül — Sun, 29 Jul 2018 00:21:13 GMT

Hi,

I wrote a small script, using the SDK from Checkpoint (GitHub - CheckPointSW/cp_mgmt_api_python_sdk: Check Point API Python Development Kit ) for checking IPS Updates with my Monitoring Server (Centreon, based on Nagios, more or less )

For the login, the SDK is used (i changed one option in Login part of mgmt_api.py: (unsafe_auto_accept --> true) should work with the default - false - too, but was easier for me.

After successful logging in, we are parsing the API output from show-ip-status and comparing it with i.e actual date or "update available".

After some calculating and comparing the script gives output, understandable for Nagios based systems.

UNKNOWN = -1 - OK = 0 - WARNING = 1 - CRITICAL = 2

Good

Bad:

And there is a state WARNING for 1 - 3 Days Delta from IPS Update

The Thresholds are freely configurable (on daily base).

What would be good, is a possibility to get the current IPS Database version from Checkpoint, so, one might want to check the version against checkpoint, not, what the managment server found.

I started working on this with the question of Sven Glock (IPS Monitoring ) in mind - maybe that kind of helps... and for my own of course

To use it on Nagios Server you need:

python installed (script worked with 2.7 and 3.7

in the plugin folder i created an own "checkpoint" folder, containing the SDK and my script.

Feel free to have a look, I´m sure, there is space for improvements....

Regards,

Daniel

Re: IPS Update Monitoring

Ryan_St__Germai — Tue, 31 Jul 2018 14:29:56 GMT

Great work! What is the benefit of using this over signing up for email alerts on IPS updates from Check Point?

Ryan

Re: IPS Update Monitoring

Nüüül — Tue, 31 Jul 2018 14:50:03 GMT

Hi Ryan,

the email gives you the information, that there is a new version.

The script checks the installed version and whether your appliance did find an updated version but i.e. is not yet applied.

Perfect would be a possibility for the monitoring server to fetch the last recent version number, to avoid, that Checkpoint Management Server cannot connect to checkpoint for any reason

And, you have this visible for Monitoring Systems like Nagios and so, which leads into a traffic light like (red, yellow, green) - good for Management

Daniel

Re: IPS Update Monitoring

Tomer_Sole — Wed, 01 Aug 2018 07:01:11 GMT

Hi, cool integration!

May I ask what are your reasons to not scheduling your Management Server to automatically run IPS Updates and install them? R80.10 Gateways install IPS as part of Threat Prevention policy, not Access Control, which means they're not susceptible to install changes made in policy rules.

Re: IPS Update Monitoring

Nüüül — Wed, 01 Aug 2018 10:27:07 GMT

Hi Tomer,

here it is more because of "having an eye" on this. And i.e. being able to monitor and report that you have the last recent version installed, without letting others logging into the SmartConsole.

And, if it would be possible to obtain the last recent version number from kind of a feed or so, this check would send alarms, when there are new versions, but management was not able to download it for any reason (DNS, firewall infront of it - what ever)

I have customers (managed service), who want to see from time to time, whether they are OK on that and other topics.

Daniel

Re: IPS Update Monitoring

Nüüül — Tue, 06 Nov 2018 13:01:31 GMT

FYI

From Upgrade to R80.20 the Reply of API changed, so, i´ll rewrite the script to be able to monitor R80.20 installations too.

Re: IPS Update Monitoring

Sven_Glock — Wed, 07 Nov 2018 06:58:38 GMT

Ohhh - what a nice post, Daniel! I found it accidently today.

Thanks for sharing your script!

Re: IPS Update Monitoring

_Val_ — Wed, 07 Nov 2018 08:19:46 GMT

brilliant

Re: IPS Update Monitoring

Nüüül — Tue, 18 Jun 2019 18:26:07 GMT

finally did it. running with R80.30 too...

basically had to update the calls for cpapi(SDK)

Re: IPS Update Monitoring

Oscar_Figueruel — Fri, 20 Sep 2019 09:28:25 GMT

Nice Post Daniel, thanks

Re: IPS Update Monitoring

Nüüül — Sun, 06 Sep 2020 12:10:33 GMT

Was finally able to update the script. should work for R8040 too and is now able to talk to Smart1 Cloud instances (basically added another argument for setting a value to "context"). Also I did some smaller changes. Updated script and more informations here:

https://github.com/leinadred/CP_IPS-Update-Monitoring4Nagios

Currently I am working on fetching all managed gateways from management and collecting the installed IPS versions from them for comparison against management installed IPS version.

Don‘t know if this is useful. more for learning and expanding my python „skills“.. 🙂

- Edit 20200906

Added argument "-M" for checking Managements IPS Version only.
if not set, the script will fetch a list of managed gateways ("show-simple-gateways") and check their IPS version tooo ("run-script" -> "clish -c \"show security-gateway ips status\"")
Also kind of reorganised the script into functions.

(have in mind that the API calls take some time so it night be necessary to change the timeout for the check/service)

Re: IPS Update Monitoring

Nüüül — Sun, 25 Oct 2020 20:08:01 GMT

script is updated again.

20201024

added and improved error handling
- when SMS did not get an IPS version update or was not able to fetch recent version
- when SMS cannot reach a gateway
- added more logging outputs at verbose executing (-v)
- for checking on "On Premise" SMS, no argument "-C" needed

more Information like how to use is at the GitHub Readme - i updated it too 😉

https://github.com/leinadred/CP_IPS-Update-Monitoring4Nagios

Re: IPS Update Monitoring

Ian — Wed, 09 Jun 2021 17:36:07 GMT

This is fantastic! Any chance someone has modified the script for MDS yet?

Re: IPS Update Monitoring

Nüüül — Thu, 10 Jun 2021 02:36:06 GMT

Hi Ian,

at least I did not, sorry. As I don’t have an mds at hands. But it should be possible with reasonable effort like the ‚-c‘ for context (Smart1-Cloud).

cheers

Daniel

Re: IPS Update Monitoring

Nüüül — Sat, 21 Aug 2021 07:42:36 GMT

20210821

updated the Script by adding -i and -s

for „ignore gateway“ / „select gateway“
also changed a Minor thing at gateway check…