Notice: This blog post was originally published on Indeni before its acquisition by BlueCat.
The content reflects the expertise and perspectives of the Indeni team at the time of writing. While some references may be outdated, the insights remain valuable. For the latest updates and solutions, explore the rest of our blog
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.
This article describes a Check Point Firewalls diagnostic tool (indeni) that detects hidden operational issues in firewall deployments by continuously monitoring NTP synchronization, interface statistics (drops, errors, collisions), cluster configuration consistency, daemon/process health, license and contract status, management HA synchronization, and certificate expiration. In real-world networks these problems cause downtime, degraded performance, failed failovers, missed security updates, and expired certificates that disrupt VPNs and SIC; indeni uses OS commands and data sources like ntp utilities, ifconfig/ethtool outputs, management databases, and certificate stores to identify them. The key outcomes are timely alerts for persistent NTP failures, interface problems with identification details, configuration drift in clusters, process crashes or leaks, licensing/contract gaps, HA sync issues before DR, and upcoming certificate expirations so teams can remediate proactively.
How does indeni detect and alert on NTP synchronization problems for Check Point gateways?
indeni continuously tests the current NTP configurations on each gateway and will alert when NTP fails consistently for 24 hours to avoid false alarms due to planned maintenance on the NTP server. The tool relies on standard OS commands such as ntpdate and ntpdq (depending on the gateway OS) to verify time synchronization status. By using the 24-hour threshold, indeni distinguishes transient or maintenance-related outages from prolonged synchronization failures that could cause issues with logs, certificates, and other time-sensitive functions.
What interface issues does indeni monitor and what information does it provide when problems are found?
indeni monitors interface drops, errors, and collisions, which can indicate overload, RX buffer problems, duplex mismatches, or severely misconfigured/outdated setups. When thresholds are exceeded, indeni reports which interface is affected along with details such as speed and duplex settings, IP and MAC addresses, helping operators pinpoint the root cause. The checks use commands like ifconfig -a and ethtool to gather the interface statistics and configuration needed for troubleshooting.
Which cluster, process, licensing, HA sync, and certificate checks does indeni perform for Check Point environments?
For clusters, indeni compares active and standby configurations to detect drift or mismatches (for example after changes or RMA replacements) by reviewing routing and state information with commands like netstat -rn, fw ctl multik stat, fwaccel stat, fw ctl get int , and cpstat fw, and examining .conf and .def files. It tracks critical daemons (pdpd, routed, gated, cpd, fwd, etc.) for crashes, restarts, core dumps, and memory leaks using ps and core dump directories. License and contract coverage is validated against the management database (using cplic print) to identify capacity or renewal issues. Management HA synchronization is monitored so desynchronization is discovered before a DR exercise, and certificates stored in the internal CA are tracked to alert teams before expiration to protect SIC, VPNs, and OPSEC connections.
Check Point Firewalls Diagnostic Tool
Below are samples of hidden issues that maybe lurking in your network environment.
Keep the clocks in sync
You’ve gone through the trouble of configuring the use of NTP on all of your firewalls. It worked at the time you’ve configured it. Then, months later, while troubleshooting an issue you realize the clock is no longer set correctly.
indeni constantly tests the current NTP configurations on a gateway. If NTP fails consistently for 24 hours we alert. The reason for the 24 hour threshold is to avoid alerting for any maintenance being done to your NTP server.
Commands used: ntpdate, ntpdq, etc. (depending on OS).
Monitor interfaces for drops, errors, collisions, etc.
Drops usually occur when the traffic load is more than the interface can handle, or the CPU can take off the interface (RX buffers).
Errors usually occur when the duplex settings are wrong.
Collisions usually occur when you have a setup from hell or simply outdated.
Whatever it is, you need someone to keep an eye and tell you when there are more drops, errors and collisions than there should be. It would be great if that someone would also tell you what interface it’s on, the speed+duplex settings for that interface, the IP addresses, MAC address, etc.
Commands used: ifconfig -a, ethtool.
Identify cluster misconfiguration
When configuring a Check Point cluster you need to make sure you get a lot of things right. Then, as time goes by, changes are made to the active member and sometimes they are not made to the standby member.
Or, as we’ve had seen more than once or twice, a device gets RMAed and the configurations on the new device aren’t exactly the same as the old device.
Whatever it is, you need to make sure the configurations match. indeni does that for you.
Commands used: netstat -rn (comparing routes), fw ctl multik stat, fwaccel stat, fw ctl get int <all_kparams>, cpstat fw, etc. Files reviewed: all .conf and .def files.
Track processes, know when there are issues
pdpd, routed, gated, cpd, fwd, … all these daemons need watching. You need to know when they crash, recycle, core dump, memory leak or simply behave funny.
indeni is well aware of these processes and the need to track them. The moment a process misbehaves, you will be notified.
Commands used: ps (various flags). Data sources: various directories containing core dump files.
Ensure you’re covered – with licenses and contracts
Do you have the right licenses? Are you exceeding capacity? Are your contracts being renewed on time? Will you continue to get your IPS signature updates?
Sometimes it can be difficult to stay on top of everything. In case you’ve missed something, indeni is there to point it out to you. Not saying you will, but just in case.
Data sources: licenses and contracts stored in the management database. Commands used: cplic print.
Discover Management HA sync issues before your next DR exercise
You’ve set up two management servers in HA. It all worked flawlessly and you’re ready for when your primary data center disappears. Or at least, the next DR exercise.
Then, when you actually want to switch to the standby server you discover you’re in a bit of a situation. It didn’t sync for months and nobody noticed. Do not worry, indeni notices.
Commands used: our little secret :)
Certificate expiration tracking
Certificates are commonly used in secure communications. In the case of Check Point Firewalls, they are used in SIC (Secure Internal Communication), VPNs (some) and OPSEC connections.
Keeping track of which certificate is being used and when it’s about to expire can be tricky. indeni does that for you. You’ll get an alert before a certificate expires, so you have enough time to renew it.
Data sources: the certificates stored in the internal CA.
Ready to learn more? Download the Check Point solution brief here.
Discover API-first DDI with Integrity X by using REST v2 to automate DNS, DHCP, and IPAM for scalable, secure network operations.
Read more
We’re using cookies on this website to improve your experience. Cookies help us learn how you interact with our website and remember you when you come back so we can tailor it to your interests.
To learn more about cookies and how we use them, read our cookie notice.
Some cookies are essential, while others help us to improve your experience by giving us insight into how you are using our website. You may adjust your preferences for non-essential cookies below.
To learn more about cookies and how we use them, read our cookie notice. You can also review our privacy policy for more details on the personal data we collect, use, hold, and disclose when you visit our website or use our products and services.
Functional cookies
Functional cookies are essential cookies that allow us to remember choices or changes you have made (such as to language settings or your choices regarding the use of cookies). These cookies cannot be turned off since they are essential for the operation of our Websites.
Analytics cookies
Analytics cookies are non-essential cookies that collect information on how visitors use our Websites. We use this information with your consent to measure the number of visitors to our Websites, determine whether specific content or communication has been viewed, and to help us improve our Websites and communication. These cookies can be turned off.
Personalisation Storage
Personalisation cookies are non-essential cookies that collect information when you fill out a form on this website. We only use this information with your consent to pre-fill other forms on the site. These cookies can be turned off.
Marketing cookies
Marketing cookies are cookies that are placed by third parties to collect information about your visits and actions on our Websites so that they or we can deliver ads to you later, such as when you are on certain third-party sites or platforms. These cookies may be used by those third parties to build a profile of your interests and show you relevant ads on other websites. These cookies also enable visitors to our Websites to share content on social networks and to enable and evaluate interactions with our communication and social media tools. These cookies can be turned off.
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.
