This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
marcyn
Collaborator
Collaborator
Monday
Jump to solution

R82 cluster monitoring with Insights

Hi Checkmates,

I have created my own lab with 2x 23500 with R82 EA configured as ElasticXL cluster.
Everything looks fine except one minor thing... I don't see any traffic in Insights -> Tools -> ConnView:

elxl1.png

It doesn't matter if I use filter on the left to see particular traffic or not ... after I hit Search button - I see nothing.

 

Of course there is a traffic from host in "net1" (internal) to host in "net2" (external) - it goes via Check Point R82 (NAT+routing_firewall). I can see this traffic via tcpdump/cppcap/fw monitor ... in logs, etc.

On the other hand - the same looks perfect in TechPoint's Quantum R82 ElasticXL (EA Review):

elxl2.png

 

Is there any requirement for this tool to be able to display connections ?
For example some process/daemon/etc. must be configured first ?


BTW
R82 looks amazing, especially ElasticXL in my opinion will be game changer !


--
Best
Marcin

1 Solution

Accepted Solutions
ShaiF
Employee
Employee
Tuesday
Jump to solution

After investigating the issue. We found out it is due to the fact connview tool (which insights ConnView tab is using) is not working with Kernel FW mode. 
Solution is to change USFW.

View solution in original post

13 Replies
ShaiF
Employee
Employee
Monday
Jump to solution

Hi Marcin,

You are correct and you should see the connection table with or without filter.

Unless your query exceeded max entries of 1000 on one of your cluster member. but in that case you should have seen pop up alert on insight mentioning this and tell you to narrow down your search by adding more filters.

I will install EA version and see if reproduce.

Will keep you updated.

Regards,

Shai

0 Kudos
marcyn
Collaborator
Collaborator
Monday
In response to ShaiF
Jump to solution

Hi @ShaiF 

Great, looking forward your test results.

Just to clarify - my lab is absolutely basic one ... I've just addressed two interfaces, added this cluster to SMS, changed CleanUp Rule to become PassAll, started the traffic flow ... and generally that's it.
Insights works great - I see a lt of statistics (first pane), alerts, etc ... only the last pane "doesn't like me" 🙂

Hopefully we will find why.

--
Best
Marcin

0 Kudos
the_rock
Legend
Legend
Monday
Jump to solution

Hey Marcin,

Is this cpview or something else? I have exl lab, so can check as well.

Andy

0 Kudos
marcyn
Collaborator
Collaborator
Monday
In response to the_rock
Jump to solution

Hi @the_rock,

This is new tool introduced in R82 for cluster monitoring (for ElasticXL and Maestro).

You can run it by executing command "insights" from gateway.

You will love this tool 🙂

--
Best
Marcin

0 Kudos
the_rock
Legend
Legend
Monday
In response to marcyn
Jump to solution

I used eve-ng for this, gives below...will see if that setting is in terminal settings, cant seem to find it lol

Andy

[Expert@CP-EXL-1-s01-01:0]# insights

Insights is supported only on terminals with settings of at least 190 columns and 25 rows.
Current terminal size is (columns = 72, rows = 19)
To watch information regarding your cluster use one of the following commands:
- From gClish:
> show cluster info ...
- From expert:
# cinfo --help

For best view of insights adjust your preferred terminal application with the following settings:
- Terminal type: xterm
- Font: consolas
- Encoding: UTF-8


[Expert@CP-EXL-1-s01-01:0]#

0 Kudos
marcyn
Collaborator
Collaborator
Monday
In response to the_rock
Jump to solution

just enlarge your terminal window to fulfill this requirement:

Insights is supported only on terminals with settings of at least 190 columns and 25 rows.

As you can see yours is like this:

Current terminal size is (columns = 72, rows = 19)

 

And then magic will happen 🙂

 

m.

0 Kudos
the_rock
Legend
Legend
Monday
In response to the_rock
Jump to solution

Never mind, I googled it quick, ran this command and now I see the menu. let me check it later on.

Andy

 

[Expert@CP-EXL-1-s01-01:0]# stty cols 200 rows 150

0 Kudos
ShaiF
Employee
Employee
Tuesday
Jump to solution

After investigating the issue. We found out it is due to the fact connview tool (which insights ConnView tab is using) is not working with Kernel FW mode. 
Solution is to change USFW.

marcyn
Collaborator
Collaborator
Tuesday
In response to ShaiF
Jump to solution

Yes,

Thank you @ShaiF for this quick remote session.

And I can confirm what Shai just wrote.
We found out this:

[Expert@R82-01-s01-01:0]# connview
[Error] ConnView is not supported on a Security Gateway that runs the Firewall in the Kernel mode (KSFW). For more information, see sk167052.

And everything is clear now ... It is really "funny" because USFW as we know is enabled by default, but not for 23500 appliance ... which I have in my lab 🙂
/it looks like only this one particular model does not have it enabled by default ... lucky me 😉 /

After I switched to USFW I can see connections in insights.
So in case anybody else will have such "issue" it's just Firewall Mode.

Thank you Shai, it was resolved really fast 🙂

--
Best
m.

 

0 Kudos
_Val_
Admin
Admin
Tuesday
In response to marcyn
Jump to solution

EDITED: My original statement was incorrect, now removed. 

@ShaiF knows better 🙂

(1)
ShaiF
Employee
Employee
Tuesday
In response to _Val_
Jump to solution

Hi Val,

In EA take FW mode depends on models and platform (EXL run USFW by default as well on some models and VM). In GA take all appliances and platforms (Single Gateway, ClusterXL, Maestro, EXL..) will have USFW by default.

Regards,

Shai.

0 Kudos
the_rock
Legend
Legend
Tuesday
In response to ShaiF
Jump to solution

Hey @ShaiF @marcyn 

Just for context, I tested it in elasticxl in eve-ng and shows user kernel mode is enabled. 

Andy

elasticxl:

[Expert@CP-EXL-1-s01-01:0]# cpprod_util FwIsUsermode
1
[Expert@CP-EXL-1-s01-01:0]#

regular R82:

[Expert@R82-TEST-FW:0]# cpprod_util FwIsUsermode
1
[Expert@R82-TEST-FW:0]#

0 Kudos
the_rock
Legend
Legend
Tuesday
In response to marcyn
Jump to solution

Will check this in the lab later 🙂

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events