This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Timothy_Hall
Legend Legend
Legend
a month ago

HCP-X...The Leading Edge

So interestingly there appears to be some extra not-yet-published leading edge tests that can be added on to the standard hcp command with the --tac option once hcp has been updated to the latest version:

sk183223: HealthCheck Point Addon

I always found it interesting to informally track what new tests are added to hcp with each new update as these tend to be driven by what current cases TAC is seeing, and in some cases has tipped me off to an issue even before an SK article was created or a Checkmates post appeared.  So let's take a look at these leading-edge TAC tests that aren't run by default!

EDIT: There is no need to download a new copy of hcp with curl_cli as shown in this screenshot, please see my follow-up post below.

hcptac1.png

EDIT: There is no need to download a new copy of hcp with curl_cli as shown in this screenshot, please see my follow-up post below.

Some definitely juicy ones here:

  • Missing routes from kernel which I actually mentioned in my Be Your Own TAC Part Deux presentation due to an unreachable next-hop address
  • IKEv2 Narrowing Issue Detection which was a major VPN interoperability issue at one point
  • Dynamic Balancing and GNAT Validation which I assume is checking for a situation where Dynamic Balancing/Split is disabled to to GNAT being off (which happens on gateways with less than 8 cores even if they support Dynamic Split)
  • dynamic_split --z occurrences not completely sure here, perhaps if split flapping was detected and an anti-flap penalty was enforced?
  • ARP Drops assume this is due to invalid next hops (sk182582)
  • RAD Tests Oh yes definitely...

The cool part is if you aren't sure exactly what a certain hcp test means (even if it is a TAC test), you can always go look at the python source code for the test itself and see precisely what it is looking for here: /etc/hcp/tests/*/*.py

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
(1)
10 Replies
PhoneBoy
Admin
Admin
4 weeks ago

I quite like how much data HCP can collect. 

0 Kudos
the_rock
Legend
Legend
4 weeks ago

I cant seem to find that sk, either by opening the link or searching for it.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
4 weeks ago
In response to the_rock

Odd, it was there Saturday but now I can't see it either.  There wasn't much in that SK other than the command I used in the screenshot to update hcp, and a mention of the --tac option.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
(1)
the_rock
Legend
Legend
4 weeks ago
In response to Timothy_Hall

No worries! Yes, I ran the command you gave in your screenshot in one of my R82 lab fws and worked great.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
3 weeks ago

So after some more investigation performed while updating my Gateway Performance Optimization Course, it looks like takes 76 and higher of hcp have the TAC tests capability built-in, and there is no need to download a different version of hcp as shown in my original posting's screenshot.  Here is the new page from my course for future reference:

hcptactests.png

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
the_rock
Legend
Legend
3 weeks ago
In response to Timothy_Hall

Thanks for that Tim!

0 Kudos
Duane_Toler
Advisor
3 weeks ago
In response to Timothy_Hall

Oh wow! This is nice!  An extra 100 oddball tests available!

 

 

hcp -l --tac |awk -F "|" ' $3 ~ /TAC/ { print $0 }' |wc -l
100

 

Nice find! 🙂

 

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
the_rock
Legend
Legend
3 weeks ago
In response to Duane_Toler

good find!

0 Kudos
Timothy_Hall
Legend Legend
Legend
3 weeks ago
In response to Duane_Toler

Yep just remember these TAC tests are not supported (don't bug TAC if you see a failure of one of these) and can change at any time!

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
the_rock
Legend
Legend
3 weeks ago
In response to Timothy_Hall

I ran it on few fws and no issues.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 20 May 2025 @ 11:30 AM (PDT)

    Las Vegas: Check Point Hybrid Mesh
    In-Person

    Wed 21 May 2025 @ 11:30 AM (MST)

    Tempe, AZ: Check Point Hybrid Mesh
    In-Person

    Tue 03 Jun 2025 @ 09:00 AM (CEST)

    CheckMates LIve France - Workshop Check Point Quantum
    In-Person

    Tue 03 Jun 2025 @ 06:00 PM (EDT)

    Montreal: CPX Recap
    In-Person

    Tue 10 Jun 2025 @ 06:00 PM (EDT)

    Quebec City: CPX Recap
    CheckMates Events