IPS Monitoring

Sven_Glock · ‎2018-07-19

Hi community,

I have the need to monitor that my IPS systems have the latest signature installed,

but I have no clue how to handle this.

I can easily read out the status with IPS STAT.

[Expert@firewall]# ips stat
IPS Status: Enabled
IPS Update Version: 635184714

I bet there is an SNMP mib, too.

But where do I get the actual version number from that is available from Check Point?

Is there some kind of web service?

Thanks in advance

Regards

Sven

PhoneBoy · ‎2018-07-19

Pretty sure that number IS the correct version number.

See below:

Sven_Glock · ‎2018-07-19

You are right,I get this mail, too.

But this is not optimal for an automat that should control it automatically on hourly basis.

Best would be a webAPI or something like this on a Check Point updater server.

Nüüül · ‎2018-07-20

Hi,

I did not find a snmp response matching the actual installed version number. CheckPoint MIBs did not mention that too... Check Point SNMP MIB files - at least I didn´t find any, that sounds promising.

via api command "show ips-status" you get some information.

[Expert@somehostname:0]# mgmt_cli show ips-status --format json
{
"last-updated" : {
"posix" : 1532076480000,
"iso-8601" : "2018-07-20T10:48+0200"
},
"installed-version" : "635184761",
"installed-version-creation-time" : {
"posix" : 1531900800000,
"iso-8601" : "2018-07-18T10:00+0200"
},
"update-available" : false,
"latest-version" : "635184761",
"latest-version-creation-time" : {
"posix" : 1531900800000,
"iso-8601" : "2018-07-18T10:00+0200"
}
}

Assuming the management is able to download updates on its own, you´d see it on update available.

Or you can compare "latest-version" with "installed version".

Depending on your monitoring solution you can implement some kind of a script there, that compares the outputs - i.e. with the actual time - and notify, if no update has been done for x days, or a update is pending.

Hope that helps

Regards,

Daniel

Andre_Scheper · ‎2018-07-20

Sven,

best way to do this in an automation way is, as Daniel said, the API command.

https://sc1.checkpoint.com/documents/latest/APIs/index.html#gui-cli/show-ips-status~v1.2%20

If you prefer the GUI-way-to-do:

update your Management to R80.20.M1

Sven_Glock · ‎2018-07-20

This is a good workaorund! Thanks for this idea.

Hopefully one day I can use the API for checking the actual state of the gateway, too.

All the relevant informations are already insinde the management.

I think it is in generall a good idea to bring more value to snmp mibs in terms of IPS.

Some regulations like PCIDSS has the need to monitor the IPS state (active or not active) and it's signature up-to-dateness.

The GUI-way-to-do is not working, because operation guys want to have a green light or a red one only.

BTW: Andre Scheper The GUI-way-to-do is already working with R80.10 but not with VSX. Is this already fixed with R80.2.M1?

Andre_Scheper · ‎2018-07-20

Gateway API is not available as of today.

but there is a helpful API command:

https://sc1.checkpoint.com/documents/latest/APIs/index.html#gui-cli/run-script~v1.2%20

use "ips stat | grep Version" as the parameter and compare it to the management info (latest-version)

I will check the VSX question and contact you next week directly

Sven_Glock · ‎2018-07-20

You are right. This is what I called a good workaround

Thanks for investigation, Andre!

Maarten_Sjouw · ‎2018-07-20

Sven,

Check out my post about getting the IPS version on a MDS https://community.checkpoint.com/thread/8331-ips-update-check-per-domain-r7730

I also use the exact same script on R80.10 and it works great.

Regards, Maarten

Are you a member of CheckMates?

IPS Monitoring