cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Need auto execute command script like EEM in Cisco

Hi, My Security Gateway CPU is spiking randomly. I want to configure a script to collect output of some pre-defined commands like EEM in Cisco. But I'm not getting the script for CheckPoint. Any help much appreciated

14 Replies
Highlighted

Re: Need auto execute command script like EEM in Cisco

Checkpoint  is based on redhat Linux. you can create python  or bash scripts  to collect the information.

0 Kudos

Re: Need auto execute command script like EEM in Cisco

Thanks for replying. I want to set up a script which will execute a command "fw tab -t connections -u > /var/log/Connections_Table.txt" when my gateway CPU goes above 90%. Could you please help me with script and steps?

0 Kudos
Admin
Admin

Re: Need auto execute command script like EEM in Cisco

You'd have to write a script that:

1. Monitors CPU (remember: there is more than one core)

2. When CPU reaches your desired threshhold, run the appropriate commands

Meanwhile, you might try using cpview, which can tell you a lot about what's going on.

CPView Utility 

0 Kudos

Re: Need auto execute command script like EEM in Cisco

Its happening randomly, that's why I thought of configuring script. But, I don't know how to do. If you have any document or document related to scripting, please share. It will be helpful.

0 Kudos
Admin
Admin

Re: Need auto execute command script like EEM in Cisco

cpview has a history mode that will likely be helpful.

It won't require scripting.

See also: Best Practices - Security Gateway Performance 

0 Kudos

Re: Need auto execute command script like EEM in Cisco

Cpview will record the information, I believe every 1 mint. I have seen it before the cpu spikes in sub seconds and  cpview will not catch it. we had to use top with lower timer to catch it.

Thanks

0 Kudos
Admin
Admin

Re: Need auto execute command script like EEM in Cisco

It's not fullproof, true, but it's a good starting point that doesn't involve writing scripts. Smiley Happy

0 Kudos

Re: Need auto execute command script like EEM in Cisco

Houssameddine Zeghlache in regards to the granularity of cpview history mode being 1 minute, I looked into it more closely when researching my book and the per-minute historical numbers reported by cpview are the average of two samples taken 30 seconds apart.  So a spike of some kind that occurs but is not still happening during one of the samples taken every 30 seconds will not show up at all in cpview's history mode, and this was noted in my book.  Sar takes more of a running average over its sampling intervals and is some cases is preferred over cpview depending on what you want to inspect.  Here is the table from the second edition of my book where these preferences are summarized, these are just my opinion of course:

cpview sar

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Need auto execute command script like EEM in Cisco

Hi Tim, In my case CPU is spiking intermittently and by the time I login it will became normal. I know one thing, the CPU is spiking when the no. of connection is increasing suddenly from 40k to 80k.

I'm stuck here, I want to find out what are these connections which is causing CPU spike. Could you please help me out?

0 Kudos

Re: Need auto execute command script like EEM in Cisco

Tim, forgot to say one more thing, firewall policy logs are disabled for all policy except clean up rule.

0 Kudos

Re: Need auto execute command script like EEM in Cisco

OK since logging is only for cleanup it is probably not fwd and its associated logging functions spiking the CPU.

First order of business for a spiking CPU is determine what kind of execution is eating the most cycles during the problematic period.  sar can get you going in the right direction here, run sar in historical mode like this (assume that the day number it happened was 7 in this example, for today just omit the "-f (filename)" argument):

sar -f /var/log/sa/sa07 -P ALL

This will show where specifically the CPU percentage-wise for each type of execution, namely:

%user - process execution, generally this should be fairly low on a gateway unless features that cause process space trips such as HTTPS Inspection are turned on 

%nice - irrelevant on a gateway, important on a R80+ SMS though

%system - kernel execution, roll up of the sy/si/hi/st shown in top

%iowait - waiting for I/O, should be very low (<5%) on a gateway unless policy is currently being installed, if higher than that during your spikes the firewall is almost certainly low on memory, post output of free -m

%idle - hopefully self-explanatory

Please report where most of the CPU cycles are going during the spikes and we can go from there.  If it is spiking in %system as shown by sar, you're going to either have to catch the problem live while running top, or run top in batch mode so we can see which one of sy/si/hi is the culprit.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: Need auto execute command script like EEM in Cisco

you might start playing with it in lab by checking some scripts like this one an adjust for your needs

https://stackoverflow.com/questions/15655969/shell-script-for-cpu-load-monitoring

0 Kudos

Re: Need auto execute command script like EEM in Cisco

I have an old, outdated script from years ago

Usage: Before running the script please setup top so it always show all CPU's;

#top
Press 1
Press shift + w
Press Enter
Exit top
Verify that it shows all CPU's by entering top again Now we can run the script;

#dos2unix monitor.sh
#chmod +x monitor.sh

#nohup ./monitor.sh &

The script will now run in the background and will take specific outputs related to performance every 30 seconds.
They will be written into /var/log/output.txt

To kill the script;
#ps aux | grep monitor.sh
#lkill -9 [pid of monitor.sh]

You can change the time value to your needs.


#!/bin/bash
#
#
clear
echo "To stop the script press CTRL+C"
echo "Starting to probe the system . . "
echo ======================================================================== >> /var/log/output.txt
echo "=== The beginning of the probing process ===" >> /var/log/output.txt
date >> /var/log/output.txt
echo ======================================================================== >> /var/log/output.txt
sleep 5
while end_loop=0     # while this condition is TRUE -
        do     
        echo "New run, collecting....."
                  echo "To stop the script press CTRL+C"
        echo "       "
                echo ============================================================= >> /var/log/output.txt
                date >> /var/log/output.txt
                echo ============================================================= >> /var/log/output.txt
                echo "    " >> /var/log/output.txt
                echo "    " >> /var/log/output.txt
    
                echo cat /proc/meminfo : >> /var/log/output.txt
                echo "------------" >> /var/log/output.txt
                cat /proc/meminfo >> /var/log/output.txt
                echo "    " >> /var/log/output.txt
                
                echo cpstat os -f multi_cpu : >> /var/log/output.txt
                echo "------------" >> /var/log/output.txt
                cpstat os -f multi_cpu >> /var/log/output.txt
                echo "    " >> /var/log/output.txt
                
                echo top -n1 -b : >> /var/log/output.txt
                echo "------------" >> /var/log/output.txt
                top -n1 -b >> /var/log/output.txt
                echo "    " >> /var/log/output.txt
                
                echo ps -auxf : >> /var/log/output.txt
                echo "------------" >> /var/log/output.txt
                ps -auxf >> /var/log/output.txt
                echo "    " >> /var/log/output.txt
            
        clear                            
        echo " "
                echo "GOING to SLEEP for 5 seconds, run complete"         
                echo "       "
        echo "         "
        echo "Please press CTL  +  C in order to break the script"
                
                sleep 30 
done
0 Kudos

Re: Need auto execute command script like EEM in Cisco

But best would be to ask CP TAC for the CPU spike monitor script "spike_monitor_cpk.sh" by Ariel L. Dor Smiley Happy.

0 Kudos