This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Marco_Valenti
Advisor
‎2018-08-29 08:43 AM

monitoring identity awareness

Hey checkmates

I would like to know if someone of you is using some sort of script or one liner to monitor the state of identity awareness through command like adlog a dc  as an example if the count of events from a dc is equal to zero or something similar.

Thanks in advance

13 Replies
Claudio_Bolcato
Contributor
‎2018-08-29 12:32 PM

pep show user all
pep show pdp all
dpd conn pep

You can use pdp and pep command for monitoring and troubleshooting identity awareness.
There are many helpful sub commands. Run those commands in expert mode on the gateway.

0 Kudos
Marco_Valenti
Advisor
‎2018-08-30 12:14 AM
In response to Claudio_Bolcato

probably I was not clear enough , I would like to know if someone of you put something like that into a script that can be monitored via snmp that show a result like if in adlog a dc the count is equal to zero , in large env showing all user won't be enough

0 Kudos
Kaspars_Zibarts
Authority
Authority
‎2018-08-30 06:45 AM
In response to Marco_Valenti

I have it displayed in a small dashboard as we have 3 IDCs in different parts of the world connected to multiple firewalls, so two most critical gateways are in the dashboard reporting two things - that connectivity to IDC is alive (new events are arriving) and total number of users. INT represents 41k chassis with 4 SGM blades each (green tick agaist IDC means that connection to IDC is handled by that specific SGM). EXT is a regular non-chassis gateway. Error seen below unfortunately is part of  R76 code on chassis - occasionally it fails to respond to pep s p a command, so my script then reports Error.  Code itself is a simple bash script that calls pdp conn adqa or pdp conn idc (depending on GW version) and then pep s p a. Nothing overly complicated Smiley Happy

I'm actually planning to "upgrade" this to have all gateways included that run IA. But haven't got time to do it yet..

0 Kudos
Marco_Valenti
Advisor
‎2018-08-31 12:05 AM
In response to Kaspars_Zibarts

Thanks this give me something that I can work on with extend snmp or similar at least trying to clean some output for retrieving the filed Users

0 Kudos
Kaspars_Zibarts
Authority
Authority
‎2018-08-31 02:18 AM
In response to Marco_Valenti

Yep, IA monitoring can be challenging (as it is not 100% stable, especially on R76 chassis). And having multiple VSXes and MDS.. I'm trying to pull this to one place so I can have a quick view of what's happening with IA across all GWs, all CMAs and all IDCs. Food for thought Royi Priov‌? Smiley Happy

Marco_Valenti
Advisor
‎2018-08-31 03:04 AM
In response to Kaspars_Zibarts

indeed , about vsx can you extend snmp per vs too? not so experienced on vsx side.

Your dashboard seems pretty solid instead of this oneliner but seems to do the job at the moment at least

pep s p a | awk -F " " '{print $5}' | grep -v time | sed  '/^$/d'
0 Kudos
Kaspars_Zibarts
Authority
Authority
‎2018-08-31 03:19 AM
In response to Marco_Valenti

That's exactly what i do Smiley Happy and then check if you have received new events in last two minutes comparing current time vs last event. That's how green tick is updated Smiley Happy

Dan_Roddy
Collaborator
‎2019-03-26 08:40 AM
In response to Kaspars_Zibarts

Greetings Kaspars, I switched my Identity source from ADquery to Collector. After installing the first Collector yesterday, it had an issue so I installed Collector on a dedicated 2016 server and it is working very well. However, when I run pdp conn idc I still see the old Collector with Invalid Shared Secret and 5 events in the last hour with last event showing 'no event'. I think this is causing the Alert on my gateway. There should be no alerts. So I went to the bogus Collector and uninstalled it. The old Collector is not listed in Authorized Clients in the Cluster Identity Sources so why does it show in pdp conn idc listing? How do I remove it?

Thank you for your help!

Dan
0 Kudos
Tiago_Cerqueira
Contributor
‎2021-07-30 05:41 PM
In response to Kaspars_Zibarts

Hi Kaspars,

Sorry to resurrect this old thread, but it still seems there is no good way to monitor IDC events.

I'm currently trying to achieve the same as the OP and yourself have done, a way to monitor the reception of IDC events on the gateway itself.

I can write a quick script that will fetch these values via SSH, but I'd prefer to perform this via SNMP. I've looked through the identityServer MIB(1.3.6.1.4.1.2620.1.38), but from here I'm only able to monitor the number of events being received on the collector machine itself.

So far, I'd like to avoid using SSH, but I keep coming back to it as it is the easiest approach. Is there no way around using SSH? I've considered several, such as using extended SNMP and a custom OID or by executing a script in the gateway itself (using cpd_sched_config) and sending the result back to the snmp manager), but I wonder if I should just bite the bullet and use SSH

 

To be clear, I would like to query the GW (or the IDC itself), for the same information showed, in the Gateways tab, under columns "Events in last hour" and "Last event send time

 

Let me know your inputs. Thanks!

0 Kudos
Tiago_Cerqueira
Contributor
‎2021-08-02 05:24 PM
In response to Tiago_Cerqueira

I found a way to do this without SNMP or SSH, by using the gaia_api run-script. You can run any expert command there, that includes pdp conn idc. Then I just need to handle it on the client side

I plan to release a nagios plugin that will monitor the events received on the firewall per IDC and alert if they drop or if one (or all) stop receiving events inside a threshold.

David_Evans
Participant
‎2022-01-24 04:16 AM
In response to Tiago_Cerqueira

Did you get anywhere with this?   I was headed down the same path and didn't want to recreate the wheel.

0 Kudos
Tiago_Cerqueira
Contributor
‎2022-01-25 03:46 AM
In response to David_Evans

Hi,

 

I do have some code that runs the pdp idc conn command via API, but I didn't get to the processing part (not much time available to work on this). I'd be willing to share that if you'd like.

0 Kudos
KostasGR
Collaborator
‎2021-08-02 11:02 PM
In response to Kaspars_Zibarts

Hello all,

Does anyone knows the oid in order to monitor the value of pep users (100) from the below table?

pep show pdp all
Command: root->show->pdp->all
---------------------------------------------------------------------------
| Direction | IP | ID | Status | Users | Connect time |
---------------------------------------------------------------------------
| Incoming | w.z.y.x | 0 | Connected | 39 |-------------------- |
---------------------------------------------------------------------------
| Incoming | x.y.z.w | 0 | Connected | 100 | ------------------- |
---------------------------------------------------------------------------
| Outgoing | x.y.z.w | 0 | Connected | N/A | -----------------|
---------------------------------------------------------------------------

BR,

Kostas

 

0 Kudos
Labels