Re: Monitoring if Aggressive Aging is enabled and ...

tjoll · ‎2024-09-23

Hi All,

I'm looking for the best way to monitor the Aggressive Aging feature on Check Point appliances with different setups. (Gateways, VSX, Maestro, VSX on Maestro) Unfortunately, there is no standard way to monitor if the feature is enabled and active. My suggestion would be the following:

- Use a custom SNMP oid so the monitoring can poll the oid. --> This is an issue on Maestro setups because you can only monitor the SMO.
- Use a custom script on the gateway appliances to check the 'active' string in the output of 'fw ctl pstat' and report back. --> I would like to avoid to run the script on the gateways because of possible performance issues caused by the script.
- Use a custon script on the mgmt server and read the output of 'fw log' and report back. --> Might be the best option.
- Maybe using Skyline to check if the feature is active. Although I'm not sure if this is reported back to Skyline.

I've also tried to monitor other variables related to aggressive aging like memory and connection limit, but without success. The memory is related to firewall memory which is different then the one that can be monitored (system memory). And I'm also missing an option to monitor the connection limit.

Does somebody have a different option or approach to monitor if the feature is enabled and active? Any suggestions are welcome.

Thanks.

Mitchel

Chris_Atkinson · ‎2024-09-23

There is a control log generated when it is active, perhaps the SIEM could look for this and alert accordingly?

CCSM R77/R80/ELITE

tjoll · ‎2024-09-23

Yeah, that's a possibility. Although we cannot create a filter to only log the aggressive aging logs. Importing all other logs will heavily increase our license/costs. Unless you know a proper was to filter the logs. Maybe only threat prevention logs?

Tomer_Noy · ‎2024-09-24

If you know how to identify a specific log that states whether aggressive aging is on, then you can write a script that will leverage the "show logs" API on the Management. This won't require exporting many logs to your SIEM.
https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-logs~v1.9.1%20

Another alternative, is to use the Compliance blade with a custom GAIA best practice that would run the suggested commands to check for aggressive aging configuration. This would be a simple script with a success/fail output that would be run on all your gateways by the Compliance mechanism, store the results and present them in reports along with other compliance/best practice information.
Here's a post from a while back that explain how to use it: https://community.checkpoint.com/t5/Management/Now-we-allow-You-to-define-your-own-Gaia-OS-Best-Prac...

G_W_Albrecht · ‎2024-09-23

Here: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_CLI_ReferenceGuide/Content/T...

You see:

[Expert@MyGW:0]# fw ctl pstat
System Capacity Summary:
 Memory used: 3% (265 MB out of 7117 MB) - below watermark
 Concurrent Connections: Not Available
 Aggressive Aging is enabled, not active
...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

tjoll · ‎2024-09-24

Hi G_W_Alrbecht,

That was one of the options I described in the opening post. Maybe build our own script around it. But it can consume some extra performance on the gateway. So not sure if this is the best solution I've got.

Elad_Chomsky · ‎2024-09-23

Hi @tjoll ,

We are about to release a new feature, allowing custom scripts in Skyline during October, combined with Grafana it might be what you are looking for, contact me in private at eladch@checkpoint.com, and we can try to assist you to install it and do early testing.

tjoll · ‎2024-09-25

Hi Elad,

Yesterday, I've tried to setup Skyline. Prometheus, Grafana and the dashboards are running. When pushing the JSON payload to the gateway, we see in a tcpdump the connection from the gateway to Skyline. Unfortunately, we see errors in Prometheus about the data being received in the wrong order. Sometimes with a HTTP 400 bad request. So currently, we're stuck even at the GA version 😂

Elad_Chomsky · ‎2024-09-25

Hi @tjoll ,

Please contact me in private in eladch@checkpoint.com, I will try to assist you.

Lesley · ‎2024-09-23

Posting here because I have worked together with Mitchel on this case.

This case is especially interesting due the Maestro setup. I have a feeling only Skyline is the proper tooling for this product line.

-------
If you like this post please give a thumbs up(kudo)! 🙂

tjoll · ‎2024-09-24

Yeah, although it is for a Maestro setup. I'm willing to make a script for different flavors of gateways.

Lloyd_Braun · ‎2024-09-23

Did you already look into configuring "SNMP Trap" as the Track: setting in the Aggressive Aging protection, in "Inspection Settings" section? There is also potential in threshold_config and smartview monitor to configure SNMP traps based on concurrent connections, though I am seeing that labeled as "concurrent connection rate" so not sure if you could configure it to fire when connection table gets to a specific size.

tjoll · ‎2024-09-24

I was looking into that as well. Currently, our platform does not support traps. SNMP traps are not as reliable for proper monitoring. What if we miss the SNMP trap because the packet does not arrive on our monitoring system because of the performance issues on the gateway, we try to monitor? Then we're still partly blind because we did not receive the trap.

If we cannot actively poll the feature, then I will look into traps again.

Are you a member of CheckMates?

Monitoring if Aggressive Aging is enabled and active