- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hey checkmates
I would like to know if someone of you is using some sort of script or one liner to monitor the state of identity awareness through command like adlog a dc as an example if the count of events from a dc is equal to zero or something similar.
Thanks in advance
pep show user all
pep show pdp all
dpd conn pep
You can use pdp and pep command for monitoring and troubleshooting identity awareness.
There are many helpful sub commands. Run those commands in expert mode on the gateway.
probably I was not clear enough , I would like to know if someone of you put something like that into a script that can be monitored via snmp that show a result like if in adlog a dc the count is equal to zero , in large env showing all user won't be enough
I have it displayed in a small dashboard as we have 3 IDCs in different parts of the world connected to multiple firewalls, so two most critical gateways are in the dashboard reporting two things - that connectivity to IDC is alive (new events are arriving) and total number of users. INT represents 41k chassis with 4 SGM blades each (green tick agaist IDC means that connection to IDC is handled by that specific SGM). EXT is a regular non-chassis gateway. Error seen below unfortunately is part of R76 code on chassis - occasionally it fails to respond to pep s p a command, so my script then reports Error. Code itself is a simple bash script that calls pdp conn adqa or pdp conn idc (depending on GW version) and then pep s p a. Nothing overly complicated
I'm actually planning to "upgrade" this to have all gateways included that run IA. But haven't got time to do it yet..
Thanks this give me something that I can work on with extend snmp or similar at least trying to clean some output for retrieving the filed Users
Yep, IA monitoring can be challenging (as it is not 100% stable, especially on R76 chassis). And having multiple VSXes and MDS.. I'm trying to pull this to one place so I can have a quick view of what's happening with IA across all GWs, all CMAs and all IDCs. Food for thought Royi Priov?
indeed , about vsx can you extend snmp per vs too? not so experienced on vsx side.
Your dashboard seems pretty solid instead of this oneliner but seems to do the job at the moment at least
pep s p a |
awk
-F
" "
'{print $5}'
|
grep
-
v
time
|
sed
'/^$/d'
That's exactly what i do and then check if you have received new events in last two minutes comparing current time vs last event. That's how green tick is updated
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY