Re: IPS Update Monitoring

Nüüül · ‎2018-07-28

Hi,

I wrote a small script, using the SDK from Checkpoint (GitHub - CheckPointSW/cp_mgmt_api_python_sdk: Check Point API Python Development Kit ) for checking IPS Updates with my Monitoring Server (Centreon, based on Nagios, more or less )

For the login, the SDK is used (i changed one option in Login part of mgmt_api.py: (unsafe_auto_accept --> true) should work with the default - false - too, but was easier for me.

After successful logging in, we are parsing the API output from show-ip-status and comparing it with i.e actual date or "update available".

After some calculating and comparing the script gives output, understandable for Nagios based systems.

UNKNOWN = -1 - OK = 0 - WARNING = 1 - CRITICAL = 2

Good

Bad:

And there is a state WARNING for 1 - 3 Days Delta from IPS Update

The Thresholds are freely configurable (on daily base).

What would be good, is a possibility to get the current IPS Database version from Checkpoint, so, one might want to check the version against checkpoint, not, what the managment server found.

I started working on this with the question of Sven Glock (IPS Monitoring ) in mind - maybe that kind of helps... and for my own of course

To use it on Nagios Server you need:

python installed (script worked with 2.7 and 3.7

in the plugin folder i created an own "checkpoint" folder, containing the SDK and my script.

Feel free to have a look, I´m sure, there is space for improvements....

Regards,

Daniel

Ryan_St__Germai · ‎2018-07-31

Great work! What is the benefit of using this over signing up for email alerts on IPS updates from Check Point?

Ryan

Nüüül · ‎2018-07-31

Hi Ryan,

the email gives you the information, that there is a new version.

The script checks the installed version and whether your appliance did find an updated version but i.e. is not yet applied.

Perfect would be a possibility for the monitoring server to fetch the last recent version number, to avoid, that Checkpoint Management Server cannot connect to checkpoint for any reason

And, you have this visible for Monitoring Systems like Nagios and so, which leads into a traffic light like (red, yellow, green) - good for Management

Daniel

Tomer_Sole · ‎2018-08-01

Hi, cool integration!

May I ask what are your reasons to not scheduling your Management Server to automatically run IPS Updates and install them? R80.10 Gateways install IPS as part of Threat Prevention policy, not Access Control, which means they're not susceptible to install changes made in policy rules.

Nüüül · ‎2018-08-01

Hi Tomer,

here it is more because of "having an eye" on this. And i.e. being able to monitor and report that you have the last recent version installed, without letting others logging into the SmartConsole.

And, if it would be possible to obtain the last recent version number from kind of a feed or so, this check would send alarms, when there are new versions, but management was not able to download it for any reason (DNS, firewall infront of it - what ever)

I have customers (managed service), who want to see from time to time, whether they are OK on that and other topics.

Daniel

Nüüül · ‎2018-11-06

FYI

From Upgrade to R80.20 the Reply of API changed, so, i´ll rewrite the script to be able to monitor R80.20 installations too.

Nüüül · ‎2019-06-18

finally did it. running with R80.30 too...

basically had to update the calls for cpapi(SDK)

Sven_Glock · ‎2018-11-06

Ohhh - what a nice post, Daniel! I found it accidently today.

Thanks for sharing your script!

_Val_ · ‎2018-11-07

brilliant

Oscar_Figueruel · ‎2019-09-20

Nice Post Daniel, thanks

Nüüül · ‎2020-08-29

Was finally able to update the script. should work for R8040 too and is now able to talk to Smart1 Cloud instances (basically added another argument for setting a value to "context"). Also I did some smaller changes. Updated script and more informations here:

https://github.com/leinadred/CP_IPS-Update-Monitoring4Nagios

Currently I am working on fetching all managed gateways from management and collecting the installed IPS versions from them for comparison against management installed IPS version.

Don‘t know if this is useful. more for learning and expanding my python „skills“.. 🙂

- Edit 20200906

Added argument "-M" for checking Managements IPS Version only.
if not set, the script will fetch a list of managed gateways ("show-simple-gateways") and check their IPS version tooo ("run-script" -> "clish -c \"show security-gateway ips status\"")
Also kind of reorganised the script into functions.

(have in mind that the API calls take some time so it night be necessary to change the timeout for the check/service)

Nüüül · ‎2020-10-25

Hi

script is updated again.

20201024

added and improved error handling
- when SMS did not get an IPS version update or was not able to fetch recent version
- when SMS cannot reach a gateway
- added more logging outputs at verbose executing (-v)
- for checking on "On Premise" SMS, no argument "-C" needed

more Information like how to use is at the GitHub Readme - i updated it too 😉

https://github.com/leinadred/CP_IPS-Update-Monitoring4Nagios

Ian · ‎2021-06-09

This is fantastic! Any chance someone has modified the script for MDS yet?

Nüüül · ‎2021-06-09

Hi Ian,

at least I did not, sorry. As I don’t have an mds at hands. But it should be possible with reasonable effort like the ‚-c‘ for context (Smart1-Cloud).

cheers

Daniel

Nüüül · ‎2021-08-21

20210821

updated the Script by adding -i and -s

for „ignore gateway“ / „select gateway“
also changed a Minor thing at gateway check…

Are you a member of CheckMates?

IPS Update Monitoring