High CPU usage during periods you didn't know about? A colleague installed a firewall policy without you knowing it and the phone starts to ring? Logs filling up disk space? You can configure thresholds so that an automatic sending of SNMP trap or email notifies you when the above happens. This will also help you to start at the right moment troubleshooting during a performance incident with top and cpview commands. Have you configured this in your environment?
This example will show you how to configure email notifications.
Note: To receive mail alert you need to have an SMTP server configured with "Mail Relay" where you allow IP-address of your mgmt server and "No Authentication", for instance your internal Exchange server. Be aware also that your management server have to be allowed to send mail to this mail server in your security policy. That means also to have a route from mgmt to mail server.
1. Configure tresholds on gateway(s):
System Alerts can be customized per network object, or they can be set to comply with the global System Alert attributes.
Logs & Monitor > New tab > Tunnel & User monitoring to open SmartView Monitor.
Under All Gateways overview, right-click on an object and select Configure tresholds.
Three options here to choose between:
Which one to choose? Edit Global Settings lets you define a set of default system alert parameters (such as CPU utilization) for each installed product and determine the action to be taken (such as log or alert) when that parameter is reached. You might have only a cluster where this option is fine but for others that have many gateways, the Custom on each object might be a better option since you could tune it different. In this example we will use Custom.
For CPU usage, free disk space and firewall policy install time you could set something like this:
System Alert Monitoring Mechanism
Check Point Security Management server has a System Alert monitoring mechanism that takes the System Alert parameters you defined and checks if that System Alert parameter has been reached. If it is reached, it activates the action defined to be taken. If the system alert daemon is not started you will get this message
In your SmartView Monitor window select to start as shown below.
2. Setup mail alerts for configured tresholds:
Open Global properties in your SmartConsole and go to Alerts
The internal_sendmail is an internal Check Point command (built-in into FWD daemon) that directs the Check Point Alerts Daemon on the Security Management Server / Domain Management Server to send an e-mail, using the specified arguments. It does not require a mail server or mail client to be installed on the Security Management Server / Multi-Domain Security Management Server.
Select a checkbox next to run mail alert script.
Use this syntax:
internal_sendmail -s "SUBJECT" -t IP_ADDRESS_of_SMTP_SERVER [-f SENDER_E-MAIL@DOMAIN] RECIPIENT1_E-MAIL@DOMAIN [RECIPIENT2_E-MAIL@DOMAIN ...]
The above syntax did not work for me, dont quite know why. I had to use this instead:
$FWDIR/bin/sendmail -s "SUBJECT" -t IP_ADDRESS_of_SMTP_SERVER [-f SENDER_E-MAIL@DOMAIN] RECIPIENT1_E-MAIL@DOMAIN [RECIPIENT2_E-MAIL@DOMAIN ...]
Example:
$FWDIR/bin/sendmail -s "MySubject" -t 192.168.20.30 -f fwmgmt@example.com sysadmin@example.com managers@example.com
Note: The e-mail subject must always be enclosed within quotation marks. Multiple recipients must be separated by a space character at the end.
Publish and install security policy to see if you get an email alert which will look like this: