- CheckMates
- :
- Products
- :
- General Topics
- :
- hcp vs. healthcheck.sh?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hcp vs. healthcheck.sh?
Forgive me if this seems like a silly question but is HealthCheck Point (sk171436: HealthCheck Point (HCP) Release Updates) the permanent replacement for healthcheck.sh (sk121447: How to perform an automated health check of a Gaia based system)?
Is there any reason to run healthcheck.sh over hcp assuming you have the latest version of hcp? Does healthcheck.sh give you anything that hcp does not? It doesn't appear that way, and it is kind of implied in the SKs that HealthCheck Point should be used going forward but it is not explicitly stated anywhere that I can find.
CET (Europe) Timezone Course Scheduled for July 1-2
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
healthcheck.sh is discontinued by Check Point as noted in sk121447.
It's author told me:
@Nathan_Davieau wrote:
I do intend to have HCP replace the healthcheck script.
I am glad that so many people liked the script but I just don’t have the free time to develop it like I used to.
I had the idea to continue it as a community edition but I don't have the time neither.
Whatever you miss in HCP, just let them know as comment in sk171436.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's certainly my understanding that HCP is the path forward here.
Comparatively the healthcheck.sh script hasn't seen updates in a while. If there are gaps please share them and we will flag them with the relevant owner.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tend to run both just to be able to compare the results when I need to check the health status of a Check Point installation. But as you can see from sk121447, it mentions that for checking health on an R81.20 installation, you must use HCP, which points towards the healthcheck.sh not getting updated any time soon, and it will most likely never support R81.20 at all.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Personally, I find healthcheck.sh way more useful with way more accurate results.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have some current examples?
Comparatively I know the healthcheck.sh raid check is one example that raised eyebrows....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can tell you every time I ran HCP, even TAC could not get any results either, nor could they open html file produced. Never had such an issue with healthcheck.sh script.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Personally, I find healthcheck.sh much more easier. One single script with 2 results (txt / html)
...
Even knowing healtcheck.sh sometimes throws an error : SND/FW Core Distribution |Runtime error (func=(main), adr=3): Divide by zero
HCP means a lot of overhead im terms of installation and handling with 'special' commands (autoupdatercli instead of CPUSE)
And the copying files / extracting and so on....
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agree 100%.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
healthcheck.sh is discontinued by Check Point as noted in sk121447.
It's author told me:
@Nathan_Davieau wrote:
I do intend to have HCP replace the healthcheck script.
I am glad that so many people liked the script but I just don’t have the free time to develop it like I used to.
I had the idea to continue it as a community edition but I don't have the time neither.
Whatever you miss in HCP, just let them know as comment in sk171436.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lets hope 2023 brings even better tool : - ). @Danny , since you are the scripting MASTER, I think you will end up making something that works 100%, like you did many other times.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @the_rock,
Can you give some more concrete cases where you had an issue with HCP? asking as i'm a fan of HCP tool, i used it for many cases i had from the field and found it very useful.
Moreover starting R81.20 you may review the report thorough WebUI by running the tool and review it under https://<gwip>/hcp.
i will be glad to hear feedback's on HCP tool so i can take it with the owners and see how we can enhance it more.
Thanks,
Ilya
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, as I mentioned, even when working with TAC, we could never open html page generated to see the results. All we would do is run hcp -r all command, thats it.
I will test R81.20 in the lab this week and report.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If someone has such issue, i will more than happy to see it and try to assist, i never encountered with such case where i was not able to open html report.
Thanks,
Ilya
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure man, sorry. I will definitely try out R81.20 and see if I get better luck.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WOW, Im super impressed with this @Ilya_Yusupov . Love the new HCP in R81.20...wish it was like this since the beginning. I attached the snippet for anyone curious what it looks like once you run hcp -r all in shs.
After finished, I opened https://172.16.10.205:4434/hcp and below is what I got (very very cool indeed).
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ilya,
It will be useful to see cli commands used for particular tests.
BR
Daniel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The tool is a rpm executable 8) Similar thing with CPM Doc run_cpmdoc.sh: Mostly code, executed by a short head script.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the sk121447 I am not able to find any mention of healthcheck.sh being discontinued. Could you please point me to the statement?
For me it is difficult to try to trust tools like hcp or healthcheck when they do not show the exact commands used to obtain the information. Without that I cannot be sure what remains to be checked manually. I can use them just for a quick basic overview.
@Chris_Atkinson Recently I was solving problem with SIC certificates. HCP showed no problems on a management server and a gateway despite the fact that:
* The management (secondary) had the ICA root certificate expired.
* The gateway had its SIC certificate expired and the automatic renewal was failing repeatedly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To clarify are you suggesting this is a difference with healthcheck.sh or an improvement you would like to see added for HCP?
Depending on the versions involved there has been improved alerting added in the console for such scenarios moreover this is also something PRO support identifies if s customer has that entitlement licensed/active.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did not check healthcheck.sh. I just noticed that on both machines hcp had shown:
SIC...............................................[PASSED]
I noticed that recently some checks were added to the management server. Let's hope they will cover cases like that. Unfortunately Check Point support was pretty helpless about the expired ICA root certificate on the secondary management server 😞
I do not think that it is ethical that for being notified about similar situations customers should be required to buy the PRO support.
Thank you. I noticed that two things but none of them says that healthcheck.sh is discontinued. Many Check Point support tools have not been updated for a long time and/or they do not support the latest versions. It would be really helpful if it was stated explicitly that healthcheck.sh is discontinued.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did not state such a requirement, it's simply an option to have Pro support as a another proactive mechanism.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I said to Ilya in one of my responses, I wish HCP was as good in previous versions as it is in R81.20, super easy to read and parse through.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To add my .02c worth...
I ran hcp on some VSX cluster members from one of our customer members. It showed some odd figures in the "FW tables limit" section. As per the suggested solution to contact CP for futher assistance, I logged a TAC case and provided the HCP output.
In short, the response was:
"In the HCP report, the number of entries column and the Peak column is reversed and a fix will be released to the HCP soon. "
and
"You can completely ignore all the errors for FW tables limit in HCP report"
Hmmm, why report stuff if the response is to ignore it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For me it isn't such useful tool as we cannot compare it with used commands / checking(without knowledge and experience) to see why there is not green status.
I remember funny situation when HCP showed me for SmartEvent that there are vpnd coredumps available.
BR
Daniel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've also noticed that when running hcp from a multi-domain-server it does not honour the proxy settings so the "Connectivity to UC" check fails. If I mdsenv to a domain then run hcp again, it does then pass that check.
