Check Point Firewalls Diagnostic Tool

Below are samples of hidden issues that maybe lurking in your network environment.

Keep the clocks in sync

You’ve gone through the trouble of configuring the use of NTP on all of your firewalls. It worked at the time you’ve configured it. Then, months later, while troubleshooting an issue you realize the clock is no longer set correctly.

indeni constantly tests the current NTP configurations on a gateway. If NTP fails consistently for 24 hours we alert. The reason for the 24 hour threshold is to avoid alerting for any maintenance being done to your NTP server.

Commands used: ntpdate, ntpdq, etc. (depending on OS).

Monitor interfaces for drops, errors, collisions, etc.

Drops usually occur when the traffic load is more than the interface can handle, or the CPU can take off the interface (RX buffers).

Errors usually occur when the duplex settings are wrong.

Collisions usually occur when you have a setup from hell or simply outdated.

Whatever it is, you need someone to keep an eye and tell you when there are more drops, errors and collisions than there should be. It would be great if that someone would also tell you what interface it’s on, the speed+duplex settings for that interface, the IP addresses, MAC address, etc.

Commands used: ifconfig -a, ethtool.

Identify cluster misconfiguration

When configuring a Check Point cluster you need to make sure you get a lot of things right. Then, as time goes by, changes are made to the active member and sometimes they are not made to the standby member.

Or, as we’ve had seen more than once or twice, a device gets RMAed and the configurations on the new device aren’t exactly the same as the old device.

Whatever it is, you need to make sure the configurations match. indeni does that for you.

Commands used: netstat -rn (comparing routes), fw ctl multik stat, fwaccel stat, fw ctl get int <all_kparams>, cpstat fw, etc.  Files reviewed: all .conf and .def files.

Track processes, know when there are issues

pdpd, routed, gated, cpd, fwd, … all these daemons need watching. You need to know when they crash, recycle, core dump, memory leak or simply behave funny.

indeni is well aware of these processes and the need to track them. The moment a process misbehaves, you will be notified.

Commands used: ps (various flags). Data sources: various directories containing core dump files.

Ensure you’re covered – with licenses and contracts

Do you have the right licenses? Are you exceeding capacity? Are your contracts being renewed on time? Will you continue to get your IPS signature updates?

Sometimes it can be difficult to stay on top of everything. In case you’ve missed something, indeni is there to point it out to you. Not saying you will, but just in case.

Data sources: licenses and contracts stored in the management database. Commands used: cplic print.

Discover Management HA sync issues before your next DR exercise

You’ve set up two management servers in HA. It all worked flawlessly and you’re ready for when your primary data center disappears. Or at least, the next DR exercise.

Then, when you actually want to switch to the standby server you discover you’re in a bit of a situation. It didn’t sync for months and nobody noticed. Do not worry, indeni notices.

Commands used: our little secret :)

Certificate expiration tracking

Certificates are commonly used in secure communications. In the case of Check Point Firewalls, they are used in SIC (Secure Internal Communication), VPNs (some) and OPSEC connections.

Keeping track of which certificate is being used and when it’s about to expire can be tricky. indeni does that for you. You’ll get an alert before a certificate expires, so you have enough time to renew it.

Data sources: the certificates stored in the internal CA.

Ready to learn more? Download the Check Point solution brief here.