topic Re: HCP roadmap question in General Topics

HCP roadmap question

Don_Paterson — Wed, 09 Oct 2024 21:07:40 GMT

Is there a roadmap for new features planned for hcp?

One area I would be interested to know about is CloudGuard Network Security health checks.

Since some of the daemons are unique per CSP and there are unique troubleshooting and testing scripts for cloud it seems like a good idea to have a single command that can run the relevant cloud tests.

Thanks,

Don

Re: HCP roadmap question

Tal_Paz-Fridman — Thu, 10 Oct 2024 18:02:13 GMT

I have forwarded your request to CloudGuard owners in R&D.

Re: HCP roadmap question

Tal_Paz-Fridman — Sun, 13 Oct 2024 09:26:43 GMT

Hi @Don_Paterson

Could you please elaborate which tests are missing? What features and scripts would you like HCP to cover?

Re: HCP roadmap question

Don_Paterson — Thu, 12 Dec 2024 15:55:37 GMT

Hi Tal,

Sure.

There could be a CloudGuard topic in the Test area (under Gaia, System, Cluster etc.).

Capturing the *-ha.json files can show the relevant details in the hcp output. For example, the Tenant ID, RG, cluster-vip, templateName etc.

Maybe they can be checked for some of that content (presence).

Capture these files and any other files of interest in /etc/

/etc/cloud-version
/etc/cloud-version.json

Display Template version and refer to https://support.checkpoint.com/results/sk/sk173705

Checking that the relevant HAD is up and running e.g. AZURE_HAD;

Example: Check that /etc/fw/scripts/azure_had.py is running

- cpwd_admin getpid -name AZURE_HAD

- cpwd_admin list | grep AZURE_HAD

Capturing public IP addresses could improve visibility in the HCP Topology view.

HCP connectivity tests could include public cloud dependent URLs and/or IPs e.g. 168.63.129.16

Health probe checks (?)

Check or capture proxy settings.

IAM permissions checks.

Maybe run the *ha_test.py scripts to capture output.

That could be enough to cover many of the CloudGuard Network Security/Gateway tests and capture output for HCP.

Maybe a CloudGuard test could be added to the list: hcp -r CloudGuard

I don't see anything like that in the list ( hcp --cli-list-tests)

References:

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CloudGuard_Network_for_AWS_Single_AZ_Cluster/Content/Topics-AWS-SingleAZ-Cluster-DG/Troubleshooting.htm

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-DG/Troubleshooting.htm

From sk175023 - ATRG: CloudGuard Network for Azure - High Availability (HA)

How can I know that my cluster is well configured?
1. Make sure that the tester ($FWDIR/scripts/azure_ha_test.py)passes and there are no errors in $FWDIR/log/azure_had.log on each member.
2. Ensure that the cluster members use a Jumbo Hotfix that contains fixes of the relevant limitation mentioned above.
3. Make sure that the daemon in charge of communicating with Azure runs on each cluster member by running: cpwd_admin getpid -name AZURE_HAD and ensuring the output is different from 0.
Thanks,

Don

Re: HCP roadmap question

Don_Paterson — Sat, 19 Oct 2024 07:09:15 GMT

Hi Tal,

This seems like a good thread to ask if there are plans for VM Watch to be integrated into any of thw Azure CloudGuard NS solutions?

https://learn.microsoft.com/en-us/azure/virtual-machines/azure-vm-watch

Regards,

Don

Re: HCP roadmap question

Don_Paterson — Sat, 19 Oct 2024 19:49:55 GMT

I am adding this link to a post I did last year which is related to this new post.

https://community.checkpoint.com/t5/Cloud-Network-Security/CloudGuard-simplified-troubleshooting/m-p/199379