Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ED
Advisor

Pssst something is wrong

High CPU usage during periods you didn't know about? A colleague installed a firewall policy without you knowing it and the phone starts to ring? Logs filling up disk space? You can configure thresholds so that an automatic sending of SNMP trap or email notifies you when the above happens. This will also help you to start at the right moment troubleshooting during a performance incident with top and cpview commands. Have you configured this in your environment?

This example will show you how to configure email notifications.

NoteTo receive mail alert you need to have an SMTP server configured with "Mail Relay" where you allow IP-address of your mgmt server and "No Authentication", for instance your internal Exchange server. Be aware also that your management server have to be allowed to send mail to this mail server in your security policy. That means also to have a route from mgmt to mail server. 

1. Configure tresholds on gateway(s):

System Alerts can be customized per network object, or they can be set to comply with the global System Alert attributes.

Logs & Monitor > New tab > Tunnel & User monitoring to open SmartView Monitor.

Under All Gateways overview, right-click on an object and select Configure tresholds.

Three options here to choose between:

Which one to choose? Edit Global Settings lets you define a set of default system alert parameters (such as CPU utilization) for each installed product and determine the action to be taken (such as log or alert) when that parameter is reached. You might have only a cluster where this option is fine but for others that have many gateways, the Custom on each object might be a better option since you could tune it different. In this example we will use Custom.

For CPU usage, free disk space and firewall policy install time you could set something like this:

System Alert Monitoring Mechanism
Check Point Security Management server has a System Alert monitoring mechanism that takes the System Alert parameters you defined and checks if that System Alert parameter has been reached. If it is reached, it activates the action defined to be taken. If the system alert daemon is not started you will get this message

In your SmartView Monitor window select to start as shown below.

2. Setup mail alerts for configured tresholds:

Open Global properties in your SmartConsole and go to Alerts

The internal_sendmail is an internal Check Point command (built-in into FWD daemon) that directs the Check Point Alerts Daemon on the Security Management Server / Domain Management Server to send an e-mail, using the specified arguments. It does not require a mail server or mail client to be installed on the Security Management Server / Multi-Domain Security Management Server.

Select a checkbox next to run mail alert script

Use this syntax:

internal_sendmail -s "SUBJECT" -t IP_ADDRESS_of_SMTP_SERVER [-f SENDER_E-MAIL@DOMAIN] RECIPIENT1_E-MAIL@DOMAIN [RECIPIENT2_E-MAIL@DOMAIN ...]

The above syntax did not work for me, dont quite know why. I had to use this instead:

$FWDIR/bin/sendmail -s "SUBJECT" -t IP_ADDRESS_of_SMTP_SERVER [-f SENDER_E-MAIL@DOMAIN] RECIPIENT1_E-MAIL@DOMAIN [RECIPIENT2_E-MAIL@DOMAIN ...]

Example

$FWDIR/bin/sendmail -s "MySubject" -t 192.168.20.30 -f fwmgmt@example.com sysadmin@example.com managers@example.com

Note: The e-mail subject must always be enclosed within quotation marks. Multiple recipients must be separated by a space character at the end.

Publish and install security policy to see if you get an email alert which will look like this:

4 Replies
Huseyin_Rencber
Collaborator

Nice post.

My configured mail script is below, working successfully.

internal_sendmail -s 'Alert_CP' -t 10.X.X.X -f sender@example.com recipient@examplerec.com

0 Kudos
ED
Advisor

Thanks Huseyin. Don't know why it didn't work for me although the internal_sendmail should correspond to $FWDIR/bin/sendmail. 

Peter_Baumann
Contributor

Hi ED,

Great summary of this alert feature, thank you very much for it.

Now, does someone know what the difference is, when I set under the gateway object - Logs - Storage the "Measure free disk space" and issue an alert there?

Are these two procedures completely independend to each other?

Thanks,

Peter

0 Kudos
Peter_Baumann
Contributor

Hi ED,

Great summary of this alert feature, thank you very much for it.

Now, does someone know what the difference is, when I set under the gateway object - Logs - Storage the "Measure free disk space" and issue an alert there?

Are these two procedures completely independend to each other?

Thanks,

Peter

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events