Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
Champion
Champion
Jump to solution

hcp vs. healthcheck.sh?

Forgive me if this seems like a silly question but is HealthCheck Point (sk171436: HealthCheck Point (HCP) Release Updates) the permanent replacement for healthcheck.sh (sk121447: How to perform an automated health check of a Gaia based system)?

Is there any reason to run healthcheck.sh over hcp assuming you have the latest version of hcp?  Does healthcheck.sh give you anything that hcp does not?  It doesn't appear that way, and it is kind of implied in the SKs that HealthCheck Point should be used going forward but it is not explicitly stated anywhere that I can find.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
1 Solution

Accepted Solutions
Danny
Champion Champion
Champion

healthcheck.sh is discontinued by Check Point as noted in sk121447.

It's author told me:


@Nathan_Davieau wrote:

I do intend to have HCP replace the healthcheck script.
I am glad that so many people liked the script but I just don’t have the free time to develop it like I used to.

I had the idea to continue it as a community edition but I don't have the time neither.

Whatever you miss in HCP, just let them know as comment in sk171436.

View solution in original post

(1)
25 Replies
Chris_Atkinson
Employee Employee
Employee

It's certainly my understanding that HCP is the path forward here.

Comparatively the healthcheck.sh script hasn't seen updates in a while. If there are gaps please share them and we will flag them with the relevant owner.

CCSM R77/R80/ELITE
0 Kudos
RamGuy239
Advisor
Advisor

I tend to run both just to be able to compare the results when I need to check the health status of a Check Point installation. But as you can see from sk121447, it mentions that for checking health on an R81.20 installation, you must use HCP, which points towards the healthcheck.sh not getting updated any time soon, and it will most likely never support R81.20 at all.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
the_rock
Legend
Legend

Personally, I find healthcheck.sh way more useful with way more accurate results.

Chris_Atkinson
Employee Employee
Employee

Do you have some current examples?

Comparatively I know the healthcheck.sh raid check is one example that raised eyebrows....

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

I can tell you every time I ran HCP, even TAC could not get any results either, nor could they open html file produced. Never had such an issue with healthcheck.sh script.

0 Kudos
S_E_
Advisor

Personally, I find healthcheck.sh much more easier. One single script with 2 results (txt / html)

...

Even knowing healtcheck.sh sometimes throws an error  : SND/FW Core Distribution |Runtime error (func=(main), adr=3): Divide by zero

HCP means a lot of overhead im terms of installation and handling with 'special' commands (autoupdatercli instead of CPUSE)

And the copying files / extracting and so on....

Regards

 

 

the_rock
Legend
Legend

Agree 100%.

0 Kudos
Danny
Champion Champion
Champion

healthcheck.sh is discontinued by Check Point as noted in sk121447.

It's author told me:


@Nathan_Davieau wrote:

I do intend to have HCP replace the healthcheck script.
I am glad that so many people liked the script but I just don’t have the free time to develop it like I used to.

I had the idea to continue it as a community edition but I don't have the time neither.

Whatever you miss in HCP, just let them know as comment in sk171436.

(1)
the_rock
Legend
Legend

Lets hope 2023 brings even better tool : - ). @Danny , since you are the scripting MASTER, I think you will end up making something that works 100%, like you did many other times.

0 Kudos
Ilya_Yusupov
Employee
Employee

Hi @the_rock,

 

Can you give some more concrete cases where you had an issue with HCP? asking as i'm a fan of HCP tool, i used it for many cases i had from the field and found it very useful.

Moreover starting R81.20 you may review the report thorough WebUI by running the tool and review it under https://<gwip>/hcp.

i will be glad to hear feedback's on HCP tool so i can take it with the owners and see how we can enhance it more.

 

Thanks,

Ilya 

0 Kudos
the_rock
Legend
Legend

Well, as I mentioned, even when working with TAC, we could never open html page generated to see the results. All we would do is run hcp -r all command, thats it.

 

I will test R81.20 in the lab this week and report.

0 Kudos
Ilya_Yusupov
Employee
Employee

If someone has such issue, i will more than happy to see it and try to assist, i never encountered with such case where i was not able to open html report.

Thanks,

Ilya 

0 Kudos
the_rock
Legend
Legend

Not sure man, sorry. I will definitely try out R81.20 and see if I get better luck.

the_rock
Legend
Legend

WOW, Im super impressed with this @Ilya_Yusupov . Love the new HCP in R81.20...wish it was like this since the beginning. I attached the snippet for anyone curious what it looks like once you run hcp -r all in shs.

After finished, I opened https://172.16.10.205:4434/hcp and below is what I got (very very cool indeed).

Andy

Screenshot_1.png

Daniel_Szydelko
Collaborator
Collaborator

Hi Ilya,

It will be useful to see  cli commands used for particular tests.

BR

Daniel.

G_W_Albrecht
Legend
Legend

The tool is a rpm executable 😎 Similar thing with CPM Doc run_cpmdoc.sh: Mostly code, executed by a short head script.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Václav_Brožík
Collaborator

In the sk121447 I am not able to find any mention of healthcheck.sh being discontinued. Could you please point me to the statement?

For me it is difficult to try to trust tools like hcp or healthcheck when they do not show the exact commands used to obtain the information. Without that I cannot be sure what remains to be checked manually. I can use them just for a quick basic overview.

@Chris_Atkinson Recently I was solving problem with SIC certificates. HCP showed no problems on a management server and a gateway despite the fact that:

* The management (secondary) had the ICA root certificate expired.

* The gateway had its SIC certificate expired and the automatic renewal was failing repeatedly.

0 Kudos
Danny
Champion Champion
Champion

image.png

Chris_Atkinson
Employee Employee
Employee

To clarify are you suggesting this is a difference with healthcheck.sh or an improvement you would like to see added for HCP?

Depending on the versions involved there has been improved alerting added in the console for such scenarios moreover this is also something PRO support identifies if s customer has that entitlement licensed/active.

CCSM R77/R80/ELITE
0 Kudos
Václav_Brožík
Collaborator

I did not check healthcheck.sh. I just noticed that on both machines hcp had shown:


SIC...............................................[PASSED]

I noticed that recently some checks were added to the management server. Let's hope they will cover cases like that. Unfortunately Check Point support was pretty helpless about the expired ICA root certificate on the secondary management server 😞

I do not think that it is ethical that for being notified about similar situations customers should be required to buy the PRO support.

@Danny 

Thank you. I noticed that two things but none of them says that healthcheck.sh is discontinued. Many Check Point support tools have not been updated for a long time and/or they do not support the latest versions. It would be really helpful if it was stated explicitly that healthcheck.sh is discontinued.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

I did not state such a requirement, it's simply an option to have Pro support as a another proactive mechanism.

 

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

As I said to Ilya in one of my responses, I wish HCP was as good in previous versions as it is in R81.20, super easy to read and parse through.

0 Kudos
Greg_Harbers
Collaborator

To add my .02c worth...

I ran hcp on some VSX cluster members from one of our customer members. It showed some odd figures in the "FW tables limit" section. As per the suggested solution to contact CP for futher assistance, I logged a TAC case and provided the HCP output.

In short, the response was:
"In the HCP report, the number of entries column and the Peak column is reversed and a fix will be released to the HCP soon. "

 and

"You can completely ignore all the errors for FW tables limit in HCP report"

Hmmm, why report stuff if the response is to ignore it?

0 Kudos
Daniel_Szydelko
Collaborator
Collaborator

For me it isn't such useful tool as we cannot compare it with used commands / checking(without knowledge and experience) to see why there is not green status.

I remember funny situation when HCP showed me for SmartEvent that there are vpnd coredumps available.

BR

Daniel.

MattGo
Participant

I've also noticed that when running hcp from a multi-domain-server it does not honour the proxy settings so the "Connectivity to UC" check fails.  If I mdsenv to a domain then run hcp  again, it does then pass that check.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events