Re: create email alert when failover occur

Arthur_DENIS1

Hi,

I try to create email alerting when a failover occurs.

For that, I use SmartEvent - I believe it's the easiest way?

I configured for that a simple filter, using event product "CheckPoint Security gateway" and log fields "Type" = Control

However, nothing happened when a failover occurred ... Could you please advise me? Thanks

Chris_Atkinson

sk81740 provides a method that might be helpful

CCSM R77/R80/ELITE

Arthur_DENIS1

thanks for pointing this to me

Is still relevant as sk is mentioning R75 to R80.30 ? And for VSX ?

And what if we change the tranking option to "mail alert" instead of "Log", do we still have the log in the smartlog ?

Arthur_DENIS1

just tested: not working with a VSX running R82 😞

Lesley

You see SMTP traffic being send out? Maybe start with this so we know what place we have to start, still could be miss configuration. For this I would use SmartEvent because you can build more triggers.

There are limitations, no encryption and no smart1 cloud , check it out: https://support.checkpoint.com/results/sk/sk25941

-------
Please press "Accept as Solution" if my post solved it 🙂

Arthur_DENIS1

Unfortunately no SMTP traffic has been sended out...
And this checkbox is configured: "Send mail alert to SmartView Monitor", but no alert has been displayed in the smartview monitor 😞

Arthur_DENIS1

@Lesley that's my idea in the beginning to use SmartEvent if you check my initial message -> however, nothing happened when a failover occurred ...

"I configured for that a simple filter, using event product "CheckPoint Security gateway" and log fields "Type" = Control"
this should catch a lot of events, including ClusterXL.

Lesley

Maybe with some screenshots we can spot an error, is that possible? just blur out mail server ip

-------
Please press "Accept as Solution" if my post solved it 🙂

Arthur_DENIS1

@Lesley sorry for delay ---

Here you can see what I see in the log:

And here what I configured:

Even if filtering on type = control is too large and catch too many notifications, it should work.
But i never receive alert with that filter...

My mail alert (automatic reaction object) is working for somes other alert, so this part is fine

Lesley

Lets move away from control and let's try: "cluster information''

This field is also listed here: https://support.checkpoint.com/results/sk/sk144192

To check if any automatic reaction is working you can try something basis like reaction when admin logins into SSH:

https://support.checkpoint.com/results/sk/sk181190

Maybe it gives some hints to the clusterXL config

-------
Please press "Accept as Solution" if my post solved it 🙂

Arthur_DENIS1

Hi

Unfortunately even with "Cluster information", this is not working.

yes automatic reaction is working (for expert login, policy installation, etc etc)

Tal_Ben_Bassat

@Arthur_DENIS1 - you can definitely achieve this use case using Infinity Playblocks custom automations! 🎯

You can create an automation that:

- Uses a Log Trigger step and define your filter for your specific failover event
- Sends notifications directly to your preferred channels - email, Teams, Slack, etc.

Playblocks gives you flexible triggers and multiple notification options, so you’ll get alerting exactly where you need it.

If you’re able to share the relevant log sample or filter condition here, we can help design the automation for you - and we may even add it as an out-of-the-box automation for others to use. 🙂

Arthur_DENIS1

Idea is not to use infinity playblock, but to stay on premise.
But thanks for the idea

Pedro_Espindola

Did you check if the event was actually created? Generate a correlated events report and search for your custom event.

After the event is working, then troubleshoot the automatic reactions part. If you have playblocks, that is the way to go. If you don't, then proceed with SmartEvent automatic reactions. It is better to use a custom shell script that sends emails using postfix instead of the native email action. Also, you could easily use a script to send a Telegram or some other kind of webhook. Easier than sending emails.

Pedro_Espindola

I know that is not what you asked and that making the automatic reaction work is a nice exercise and useful for many purposes, but here is my humble opinion about this specific case:

You will get better results using an external monitoring system to query the member state and alert you when it changes. Monitoring externally will also let you monitor many other stats of performance, availability, license, etc. You can use Skyline or SNMP.
For Skyline:
https://sc1.checkpoint.com/documents/Appliances/Skyline/Content/Topics-Metrics/ClusterXL.htm?tocpath...

For SNMP, use OID .iso.org.dod.internet.private.enterprises.checkpoint.products.ha.haState
.1.3.6.1.4.1.2620.1.5.6

sk90860 - How to configure SNMP on Gaia OS

Arthur_DENIS1

Hi @Pedro_Espindola

I'm totally agree with you, having an external snmp monitoring is better.

We have one for that. but the fact is that last time a failover occur and i did'nt get the alert, because of monitoring system failure...
That's why i would like to get an additional alert directly from checkpoint devices.

Pedro_Espindola

Makes sense. Redundancy is always better!

Have you tried any of my other recommendations? Did you confirm that the failover events are actually being created in the correlated report?

Arthur_DENIS1

Yes it's created in the correlated event report.

I have opened a TAC case for that, because i strongly believe it's like a bug in smartevent

Are you a member of CheckMates?

create email alert when failover occur