This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ustoun
Participant
‎2021-07-20 02:57 PM

Custom script alert Mgmt Cluster

Hello ALL,

I am going to create a custom alert script which will going to be triggered when the specific Rule will be hit by the traffic. All gateways are configured to send LOGs traffic to both Mgmt servers. The script should be placed in $FWDIR/bin directory to the Mgmt Server ( R80.40 Gaia)

Since we have Active/Standby Mgmt CP servers, where would it be advisable to put the script on? I thought to put one on Standby node thus offloading some work from the Primary Active Mgmt member?

The custom script in question is the simple bash, which will execute curl_cli and will send Alert data ( from IPS blade log ) to external entity: Something like - 

#!/bin/bash
event=`</dev/stdin`
version=`fw ver`
date=`date +"%Y-%m-%dT%H:%M:%S%z"`
curl_cli --cacert $FWDIR/bin/ca-bundle.crt -m 5 -X POST -d "$date $event device_version: $version;" http://some_web_site.here?APIkey=whatever

Thanks

0 Kudos
12 Replies
PhoneBoy
Admin
Admin
‎2021-07-20 04:46 PM

I believe if both management servers receive the logs, they will both act on this script.
However, I'm not 100% sure about that. 

0 Kudos
_Val_
Admin
Admin
‎2021-07-20 11:44 PM

Those receiving the logs in the real time. 

0 Kudos
ustoun
Participant
‎2021-07-21 05:44 AM
In response to _Val_

Thank you, I guess both nodes will try to execute the script on the Log trigger event. Since only one of them will have the script the second one will silently fail. Wondering, if I will see a log message error in this node say in /var/log/messages?

I guess, ideally it would be to test this scenarios in the lab 

0 Kudos
_Val_
Admin
Admin
‎2021-07-21 05:57 AM
In response to ustoun

I think you misunderstand how custom alert works. The script is being executed ONLY if you get that custom alert in the logs. The trigger is the log itself with the custom alert marker. No log, no script execution.

0 Kudos
ustoun
Participant
‎2021-07-21 06:49 AM
In response to _Val_

Hi Valeri, can you elaborate a bit? What do you mean by custom alert in the logs please? Probably, I was not clear when I said initially I am creating a custom alert script. What I meant by this is just:

1. In global properties ->Logs and Alert->Alerts to check out the "Run UserDefined script" /path/to/the/script

2. Put the script ( the one I mentioned earlier in my initial post ) to $FWDIR/bin directory

3. In Threat Prevention Policy ( for the rule I'd like to send the alerts from ) check out the Track option 'User Alert'

I tested this procedure with the Single Mgmt server in my Lab and it works

Are we on the same page?

Thanks

 

0 Kudos
_Val_
Admin
Admin
‎2021-07-21 07:19 AM
In response to ustoun

Sure, @ustoun 

All the configuration steps you did are correct. However, you have wrote: "I guess both nodes will try to execute the script on the Log trigger event. Since only one of them will have the script the second one will silently fail."

I was addressing this assumption. It seems you think the script runs all the time on both members and looks for an alert. This is not true. Once alert comes to your log server, it triggers the script. Although the script exists on both MGMT servers, only one getting the alert will execute the script. The second one will not.

Are we on the same page? 🙂

 

0 Kudos
ustoun
Participant
‎2021-07-21 08:13 AM
In response to _Val_

NO, not yet but will eventually sync for the same page for sure 😁

If ALL the gateways are configured to send Logs to BOTH my Mgmt servers ( Active and Standby ) and since BOTH will receive the SAME logs would only one of them will trigger the script and NOT both?

_Val_
Admin
Admin
‎2021-07-21 10:32 AM
In response to ustoun

No, both will execute the alert script, once logs are received.

To avoid it, you need to configure logs to be sent to primary and backup servers, instead of sending those to both servers at once.

0 Kudos
ustoun
Participant
‎2021-07-21 11:10 AM
In response to _Val_

You meant, the right way to configure the Logs sent by the GWs is to do the distribution in between Active/Stdby Mgmt? Say, two GWs send logs to Primary Mgmt, 3 others send to Secondary ( Standby ) one? If so, I am not in position to change the current Logs distribution. Back to my original assumptions, if I'd install the script only on the Standby server then Primary will try to execute the script and FAIL silently ( since there is no script installed on this server )? I guess it would NOT create any issue for this Primary Mgmt? Would it be safe to assume so? 

0 Kudos
_Val_
Admin
Admin
‎2021-07-22 12:29 AM
In response to ustoun

Two questions here:

1. Log distribution. With two management servers, there is a best practice to configure promary and backup log servers per GW. Say, your GW sends logs to MGMT1, but if it fails or becomes unavailable, it starts sending logs to MGMT2.
2. If you configure a custom alert, but do not set up a corresponding script, you will get alert in the logs, but no custom action will be performed on that server. In your terms, it will silently fail. 

0 Kudos
ustoun
Participant
‎2021-07-22 06:20 AM
In response to _Val_

Agree with the BOTH statements. Thanks @_Val_ 

0 Kudos
Vladimir
Champion
Champion
‎2022-05-12 12:06 PM
In response to ustoun

Late but just in case: you can use fw hastat in the script to terminate on a standby and continue on active.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top