Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nüüül
Advisor

IPS Update Monitoring

Hi,

I wrote a small script, using the SDK from Checkpoint (GitHub - CheckPointSW/cp_mgmt_api_python_sdk: Check Point API Python Development Kit ) for checking IPS Updates with my Monitoring Server (Centreon, based on Nagios, more or less Smiley Happy)

For the login, the SDK is used (i changed one option in Login part of mgmt_api.py: (unsafe_auto_accept --> true) should work with the default - false - too, but was easier for me.

After successful logging in, we are parsing the API output from show-ip-status and comparing it with i.e actual date or "update available".

After some calculating and comparing the script gives output, understandable for Nagios based systems.

UNKNOWN = -1 - OK = 0 - WARNING = 1 - CRITICAL = 2

Good

Bad:

And there is a state WARNING for 1 - 3 Days Delta from IPS Update

The Thresholds are freely configurable (on daily base).

What would be good, is a possibility to get the current IPS Database version from Checkpoint, so, one might want to check the version against checkpoint, not, what the managment server found.

I started working on this with the question of Sven Glock (IPS Monitoring )  in mind - maybe that kind of helps... and for my own of course Smiley Happy

To use it on Nagios Server you need:

python installed (script worked with 2.7 and 3.7

in the plugin folder i created an own "checkpoint" folder, containing the SDK and my script.

Feel free to have a look, I´m sure, there is space for improvements....

Regards,

Daniel

14 Replies
Ryan_St__Germai
Advisor

Great work! What is the benefit of using this over signing up for email alerts on IPS updates from Check Point?

Ryan

Nüüül
Advisor

Hi Ryan,

the email gives you the information, that there is a new version.

The script checks the installed version and whether your appliance did find an updated version but i.e. is not yet applied.

Perfect would be a possibility for the monitoring server to fetch the last recent version number, to avoid, that Checkpoint Management Server cannot connect to checkpoint for any reason

And, you have this visible for Monitoring Systems like Nagios and so, which leads into a traffic light like (red, yellow, green) - good for Management Smiley Happy

Daniel

Tomer_Sole
Mentor
Mentor

Hi, cool integration!

May I ask what are your reasons to not scheduling your Management Server to automatically run IPS Updates and install them? R80.10 Gateways install IPS as part of Threat Prevention policy, not Access Control, which means they're not susceptible to install changes made in policy rules.

Nüüül
Advisor

Hi Tomer,

here it is more because of "having an eye" on this. And i.e. being able to monitor and report that you have the last recent version installed, without letting others logging into the SmartConsole.

And, if it would be possible to obtain the last recent version number from kind of a feed or so, this check would send alarms, when there are new versions, but management was not able to download it for any reason (DNS, firewall infront of it - what ever)

I have customers (managed service), who want to see from time to time, whether they are OK on that and other topics.

Daniel

Nüüül
Advisor

FYI

From Upgrade to R80.20 the Reply of API changed, so, i´ll rewrite the script to be able to monitor R80.20 installations too.

Nüüül
Advisor

finally did it. running with R80.30 too...

basically had to update the calls for cpapi(SDK)

 

Sven_Glock
Advisor

Ohhh - what a nice post, Daniel! I found it accidently today.

Thanks for sharing your script! 

_Val_
Admin
Admin

brilliant

Oscar_Figueruel
Participant

Nice Post Daniel, thanks
Nüüül
Advisor

Was finally able to update the script. should work for R8040 too and is now able to talk to Smart1 Cloud instances (basically added another argument for setting a value to "context"). Also I did some smaller changes. Updated script and more informations here:

https://github.com/leinadred/CP_IPS-Update-Monitoring4Nagios

Currently I am working on fetching all managed gateways from management and collecting the installed IPS versions from them for comparison against management installed IPS version.

 

Don‘t know if this is useful. more for learning and expanding my python „skills“.. 🙂

 

- Edit 20200906

Added argument "-M" for checking Managements IPS Version only.
if not set, the script will fetch a list of managed gateways ("show-simple-gateways") and check their IPS version tooo ("run-script" -> "clish -c \"show security-gateway ips status\"")
Also kind of reorganised the script into functions.

(have in mind that the API calls take some time so it night be necessary to change the timeout for the check/service)

Nüüül
Advisor

Hi

script is updated again. 

20201024

  • added and improved error handling

    • when SMS did not get an IPS version update or was not able to fetch recent version
    • when SMS cannot reach a gateway
    • added more logging outputs at verbose executing (-v)
    • for checking on "On Premise" SMS, no argument "-C" needed

more Information like how to use is at the GitHub Readme - i updated it too 😉

https://github.com/leinadred/CP_IPS-Update-Monitoring4Nagios

 

0 Kudos
Ian
Employee Employee
Employee

This is fantastic!  Any chance someone has modified the script for MDS yet?

0 Kudos
Nüüül
Advisor

Hi Ian,

 

at least I did not, sorry. As I don’t have an mds at hands. But it should be possible with reasonable effort like the ‚-c‘ for context (Smart1-Cloud). 

cheers

 

Daniel

0 Kudos
Nüüül
Advisor

20210821

updated the Script by adding -i and -s

for „ignore gateway“ / „select gateway“ 
also changed a Minor thing at gateway check…

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events