Wondering if Policy Push can be alerted with the h...

Blason_R · ‎2023-04-23

Hi Folks,

I am now good with Skyline alerts and have created a bunch of of those. Now I am wondering if policy pushed can be tracked and alerted with the help of opentelemetry or skyline?

Here is my query

(firewall_policy_time{host_name="Firewall", environment=~"Default", service_namespace="vs_id_0"}>100000)*1000

@Arik_Ovtracht - Can you please help?

TIA

Blason R

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Elad_Chomsky · ‎2023-04-24

Hi @Blason_R ,

Try to experiment by doing something like this -

(firewall_policy_time { host_name="Firewall", environment=~"Default", service_namespace="vs_id_0"} - firewall_policy_time{ host_name="Firewall", environment=~"Default", service_namespace="vs_id_0"} offset 15s) != bool 0

I used the offset instruction to get the last sample ( 15s before ), then I compared the difference and checked if it is not 0.

In general the use case that you are referring to is classified as an 'event'.

We are aiming to support events in the future, and it is currently part of our plans and roadmap.

Blason_R · ‎2023-04-24

That is great and thanks for the input. However that query is not working for me.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Blason_R · ‎2023-04-24

This is correct and then I can define Last of $A != 0

(firewall_policy_time { host_name="Firewall", environment=~"Default", service_namespace="vs_id_0" } - firewall_policy_time { host_name="Firewall", environment=~"Default", service_namespace="vs_id_0"} offset 15s)

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Elad_Chomsky · ‎2023-04-24

I have fixed the query on the original post, please retry -

1 - policy has changed

0 - policy has not changed

Please contact me privately on eladch@checkpoint.com, so I can try to assist you with any further issues.

Are you a member of CheckMates?

Wondering if Policy Push can be alerted with the help of Skyline?