This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pavan_Kumar
Contributor
‎2018-06-01 05:11 AM

Need auto execute command script like EEM in Cisco

Hi, My Security Gateway CPU is spiking randomly. I want to configure a script to collect output of some pre-defined commands like EEM in Cisco. But I'm not getting the script for CheckPoint. Any help much appreciated

14 Replies
Houssameddine_1
Collaborator
‎2018-06-01 07:26 AM

Checkpoint  is based on redhat Linux. you can create python  or bash scripts  to collect the information.

0 Kudos
Pavan_Kumar
Contributor
‎2018-06-01 08:08 AM
In response to Houssameddine_1

Thanks for replying. I want to set up a script which will execute a command "fw tab -t connections -u > /var/log/Connections_Table.txt" when my gateway CPU goes above 90%. Could you please help me with script and steps?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-06-01 09:44 AM
In response to Pavan_Kumar

You'd have to write a script that:

1. Monitors CPU (remember: there is more than one core)

2. When CPU reaches your desired threshhold, run the appropriate commands

Meanwhile, you might try using cpview, which can tell you a lot about what's going on.

CPView Utility 

0 Kudos
Pavan_Kumar
Contributor
‎2018-06-01 09:54 AM
In response to PhoneBoy

Its happening randomly, that's why I thought of configuring script. But, I don't know how to do. If you have any document or document related to scripting, please share. It will be helpful.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-06-01 10:17 AM
In response to Pavan_Kumar

cpview has a history mode that will likely be helpful.

It won't require scripting.

See also: Best Practices - Security Gateway Performance 

0 Kudos
Houssameddine_1
Collaborator
‎2018-06-01 10:21 AM
In response to PhoneBoy

Cpview will record the information, I believe every 1 mint. I have seen it before the cpu spikes in sub seconds and  cpview will not catch it. we had to use top with lower timer to catch it.

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2018-06-01 10:22 AM
In response to Houssameddine_1

It's not fullproof, true, but it's a good starting point that doesn't involve writing scripts. Smiley Happy

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-06-05 10:28 AM
In response to Houssameddine_1

Houssameddine Zeghlache in regards to the granularity of cpview history mode being 1 minute, I looked into it more closely when researching my book and the per-minute historical numbers reported by cpview are the average of two samples taken 30 seconds apart.  So a spike of some kind that occurs but is not still happening during one of the samples taken every 30 seconds will not show up at all in cpview's history mode, and this was noted in my book.  Sar takes more of a running average over its sampling intervals and is some cases is preferred over cpview depending on what you want to inspect.  Here is the table from the second edition of my book where these preferences are summarized, these are just my opinion of course:

cpview sar

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
Pavan_Kumar
Contributor
‎2018-06-05 01:01 PM
In response to Timothy_Hall

Hi Tim, In my case CPU is spiking intermittently and by the time I login it will became normal. I know one thing, the CPU is spiking when the no. of connection is increasing suddenly from 40k to 80k.

I'm stuck here, I want to find out what are these connections which is causing CPU spike. Could you please help me out?

0 Kudos
Pavan_Kumar
Contributor
‎2018-06-05 01:25 PM
In response to Pavan_Kumar

Tim, forgot to say one more thing, firewall policy logs are disabled for all policy except clean up rule.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-06-05 03:51 PM
In response to Pavan_Kumar

OK since logging is only for cleanup it is probably not fwd and its associated logging functions spiking the CPU.

First order of business for a spiking CPU is determine what kind of execution is eating the most cycles during the problematic period.  sar can get you going in the right direction here, run sar in historical mode like this (assume that the day number it happened was 7 in this example, for today just omit the "-f (filename)" argument):

sar -f /var/log/sa/sa07 -P ALL

This will show where specifically the CPU percentage-wise for each type of execution, namely:

%user - process execution, generally this should be fairly low on a gateway unless features that cause process space trips such as HTTPS Inspection are turned on 

%nice - irrelevant on a gateway, important on a R80+ SMS though

%system - kernel execution, roll up of the sy/si/hi/st shown in top

%iowait - waiting for I/O, should be very low (<5%) on a gateway unless policy is currently being installed, if higher than that during your spikes the firewall is almost certainly low on memory, post output of free -m

%idle - hopefully self-explanatory

Please report where most of the CPU cycles are going during the spikes and we can go from there.  If it is spiking in %system as shown by sar, you're going to either have to catch the problem live while running top, or run top in batch mode so we can see which one of sy/si/hi is the culprit.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
Houssameddine_1
Collaborator
‎2018-06-01 10:14 AM

you might start playing with it in lab by checking some scripts like this one an adjust for your needs

https://stackoverflow.com/questions/15655969/shell-script-for-cpu-load-monitoring

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-06-05 04:39 AM

I have an old, outdated script from years ago

Usage: Before running the script please setup top so it always show all CPU's;

#top
Press 1
Press shift + w
Press Enter
Exit top
Verify that it shows all CPU's by entering top again Now we can run the script;

#dos2unix monitor.sh
#chmod +x monitor.sh

#nohup ./monitor.sh &

The script will now run in the background and will take specific outputs related to performance every 30 seconds.
They will be written into /var/log/output.txt

To kill the script;
#ps aux | grep monitor.sh
#lkill -9 [pid of monitor.sh]

You can change the time value to your needs.


#!/bin/bash
#
#
clear
echo "To stop the script press CTRL+C"
echo "Starting to probe the system . . "
echo ======================================================================== >> /var/log/output.txt
echo "=== The beginning of the probing process ===" >> /var/log/output.txt
date >> /var/log/output.txt
echo ======================================================================== >> /var/log/output.txt
sleep 5 
while end_loop=0     # while this condition is TRUE - 
        do     
        echo "New run, collecting....."
                  echo "To stop the script press CTRL+C"
        echo "       "
                echo ============================================================= >> /var/log/output.txt
                date >> /var/log/output.txt
                echo ============================================================= >> /var/log/output.txt
                echo "    " >> /var/log/output.txt
                echo "    " >> /var/log/output.txt
    
                echo cat /proc/meminfo : >> /var/log/output.txt
                echo "------------" >> /var/log/output.txt
                cat /proc/meminfo >> /var/log/output.txt
                echo "    " >> /var/log/output.txt
                
                echo cpstat os -f multi_cpu : >> /var/log/output.txt
                echo "------------" >> /var/log/output.txt
                cpstat os -f multi_cpu >> /var/log/output.txt
                echo "    " >> /var/log/output.txt 
                
                echo top -n1 -b : >> /var/log/output.txt
                echo "------------" >> /var/log/output.txt
                top -n1 -b >> /var/log/output.txt
                echo "    " >> /var/log/output.txt 
                
                echo ps -auxf : >> /var/log/output.txt
                echo "------------" >> /var/log/output.txt
                ps -auxf >> /var/log/output.txt
                echo "    " >> /var/log/output.txt 
            
        clear                            
        echo " "
                echo "GOING to SLEEP for 5 seconds, run complete"         
                echo "       "
        echo "         "
        echo "Please press CTL  +  C in order to break the script" 
                
                sleep 30  
done
CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-06-05 07:59 AM

But best would be to ask CP TAC for the CPU spike monitor script "spike_monitor_cpk.sh" by Ariel L. Dor Smiley Happy.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top