Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Danny
Champion Champion
Champion

Gaia HealthCheck Script v6.05 released

Check Point released v6.05 of it's Gaia HealthCheck Script.

Script author: Nathan Davieau (LinkedIn profile)

Whats new:

 

Whats missing:

  • script self-update

Download

PackageLinkDate 
healthcheck.sh script v6.0526Feb2019
2 Replies
Danny
Champion Champion
Champion

I just found a flaw within the CoreXL status check.

 

My machine:

[Expert@fw:0]# installed_jumbo_take
R77.30 Jumbo Hotfix Accumulator take_342 is installed, see sk106162.
[Expert@fw:0]# fw ctl multik stat
fw: CoreXL is disabled

[Expert@fw:0]# fw ctl multik stat 2> /dev/null
[Expert@fw:0]#‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

So CoreXL is disabled but healthcheck.sh does:

        core_stat=$(fw ctl multik stat 2> /dev/null)
        if [[ $(echo $core_stat | grep disabled) ]]; then check_failed

 

As $core_stat does not contain the string "disabled" the scripts says that CoreXL is OK (enabled) while it is actually disabled.

0 Kudos
Petr_Hantak
Advisor
Advisor

I run this script version on VSX using virtual switches. It is not probably issue of this version only, but specially for virtual systems systems which are switches it returns warnings in NAT, Cluster status, Sync status. I'll try it also on virtual router if is the situation similar there.

In case it will be possible to cover it in roadmap to mitigate those states by info because it is virtual switch and it is fine, it would be great. I really like this script. It is great and give us a lot of useful info about our devices.

 

Here is example of two virtual switches.

Virtual System 1Virtual System 2

Fragments
Fragments - OK

Connections Table
Peak Connections - OK
Current Connections - OK
NAT Connections - WARNING
NAT Table ERROR - Unable to open fwx_cache table.

ClusterXL
Cluster Status - WARNING
Unable to find remote partner.
This is usually due to one of the following reasons:
-There is no network connectivity between the members of the cluster on the sync network.
-The partner does not have state synchronization enabled.
-One partner is using broadcast mode while the other is using multicast mode.
-One of the monitored processes has an issue, such as no policy loaded.
-The partner firewall is down.


Problem Notifications - OK
Sync Status - WARNING
Sync is Off!
For more information on Sync, use sk34476: Explanation of Sync section in the output of fw ctl pstat command.
To troubleshoot Sync issues use, sk37029- Full Synchronization issues on cluster member and sk37030 - Debugging Full Synchronization in ClusterXL.


Number of Sync Interfaces - OK
Cluster Failovers - OK

SecureXL
SecureXL Status - OK
Accept Templates - OK
Drop Templates - INFO
Drop Templates are disabled.
Accelerated Drop Rules feature protects the Security Gateway and site from Denial of Service attacks by dropping packets at the acceleration layer.
Please review sk90861 and sk90941 for more information.


F2F Packets - WARNING
F2F (firewall/slow path) packets account for 100% of all traffic.
For more information regarding tuning connections, use sk98348: Best Practices - Security Gateway Performance


PXL Packets - OK
Aggressive Aging - OK

Logging
Local Logging - OK

Fragments
Fragments - OK

Connections Table
Peak Connections - OK
Current Connections - OK
NAT Connections - WARNING
NAT Table ERROR - Unable to open fwx_cache table.

ClusterXL
Cluster Status - WARNING
Unable to find remote partner.
This is usually due to one of the following reasons:
-There is no network connectivity between the members of the cluster on the sync network.
-The partner does not have state synchronization enabled.
-One partner is using broadcast mode while the other is using multicast mode.
-One of the monitored processes has an issue, such as no policy loaded.
-The partner firewall is down.


Problem Notifications - OK
Sync Status - WARNING
Sync is Off!
For more information on Sync, use sk34476: Explanation of Sync section in the output of fw ctl pstat command.
To troubleshoot Sync issues use, sk37029- Full Synchronization issues on cluster member and sk37030 - Debugging Full Synchronization in ClusterXL.


Number of Sync Interfaces - OK
Cluster Failovers - OK

SecureXL
SecureXL Status - OK
Accept Templates - OK
Drop Templates - INFO
Drop Templates are disabled.
Accelerated Drop Rules feature protects the Security Gateway and site from Denial of Service attacks by dropping packets at the acceleration layer.
Please review sk90861 and sk90941 for more information.


F2F Packets - WARNING
F2F (firewall/slow path) packets account for 100% of all traffic.
For more information regarding tuning connections, use sk98348: Best Practices - Security Gateway Performance


PXL Packets - OK
Aggressive Aging - OK

Logging
Local Logging - OK

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events