Xymon Mailing List Archive search

Checkpoint High Availability Monitoring

11 messages in this thread

list L.M.J · Mon, 28 Apr 2008 09:15:45 +0200 (CEST) · 
Hi, once again ;)

  I would like to monitor the HA cluster between 2 Checkpoint Firewall.

  Several time a month, the cluster failed down, sound like one of the
numerous Ethernet card seems to be off during a couple of second, thus
the HA cluster switch to safe mode. I would like to detect this nasty
state from the Hobbit server to broadcast an alarm.

  I don't know how the 2 Firewalls exchange health information (maybe via
Heartbeat). Anyone already figure out how to monitor this issue?

  Thanks by advance,

    LMJ
list Pkc_mls · Mon, 28 Apr 2008 09:33:09 +0200 ·
quoted from L.M.J
L.M.J. a écrit :
Hi, once again ;)

  I would like to monitor the HA cluster between 2 Checkpoint Firewall.

  Several time a month, the cluster failed down, sound like one of the
numerous Ethernet card seems to be off during a couple of second, thus
the HA cluster switch to safe mode. I would like to detect this nasty
state from the Hobbit server to broadcast an alarm.

  
you have some commands that need to be parsed to do so.
try "cphaprob -a if" and "cphaprob state".
quoted from L.M.J
  I don't know how the 2 Firewalls exchange health information (maybe via
Heartbeat). Anyone already figure out how to monitor this issue?
  
they exchange information via heartbeat.
you can set up on smartdashboard the "fail over" tracking option.
the main difficulty in my opinion is to be sure your monitoring will 
also work if the HA
priority changes.

there is also an active firewall 1 archiev if you wish to ask the 
question to firewall-1 users.
  Thanks by advance,

    LMJ
list Pkc_mls · Mon, 28 Apr 2008 09:48:54 +0200 ·
quoted from Pkc_mls
pkc_mls a écrit :
there is also an active firewall 1 archiev if you wish to ask the 
question to firewall-1 users.
there is also an active firewall-1 mailing list if you wish to ask the 
question to firewall-1 users.
sorry for monday morning typo.
  Thanks by advance,

    LMJ
list Michael A. Price · Mon, 28 Apr 2008 07:50:54 -0400 · 
Some one posted a Checkpoint SPLAT devmon template and it works great, it
will monitor the cluster state for you.

Here is a copy..

Thanks, michael
quoted from L.M.J


On 4/28/08 3:15 AM, "L.M.J." <user-78bb6d5d9024@xymon.invalid> wrote:

Hi, once again ;)

  I would like to monitor the HA cluster between 2 Checkpoint Firewall.

  Several time a month, the cluster failed down, sound like one of the
numerous Ethernet card seems to be off during a couple of second, thus
the HA cluster switch to safe mode. I would like to detect this nasty
state from the Hobbit server to broadcast an alarm.

  I don't know how the 2 Firewalls exchange health information (maybe via
Heartbeat). Anyone already figure out how to monitor this issue?

  Thanks by advance,

    LMJ
Attachments (1)
list L.M.J · Mon, 28 Apr 2008 17:24:02 +0200 · 
Le Mon, 28 Apr 2008 09:33:09 +0200,
quoted from Pkc_mls
pkc_mls <user-06f34394900f@xymon.invalid> a écrit :

L.M.J. a écrit :
Hi, once again ;)

  I would like to monitor the HA cluster between 2 Checkpoint Firewall.

  Several time a month, the cluster failed down, sound like one of the
numerous Ethernet card seems to be off during a couple of second, thus
the HA cluster switch to safe mode. I would like to detect this nasty
state from the Hobbit server to broadcast an alarm.

    
you have some commands that need to be parsed to do so.
try "cphaprob -a if" and "cphaprob state".
  I don't know how the 2 Firewalls exchange health information (maybe via
Heartbeat). Anyone already figure out how to monitor this issue?
    
they exchange information via heartbeat.
you can set up on smartdashboard the "fail over" tracking option.
the main difficulty in my opinion is to be sure your monitoring will 
also work if the HA
priority changes.
Hi pkc_mls,

  If you suggest to parse some command, I guess you mean to install Hobbit Client on the CheckPoint linux
firewalls which sound like not supported by CP (+ I guess my colleague, directly responsible of the FW, will
be able disagree :-/)

  Gonna first check out the Checkpoint SPLAT devmon template (thanks Michael)

  Thanks you very much guys,

   CU
list Pkc_mls · Mon, 28 Apr 2008 17:44:54 +0200 ·
quoted from L.M.J
L.M.J a écrit :
Le Mon, 28 Apr 2008 09:33:09 +0200,
pkc_mls <user-06f34394900f@xymon.invalid> a écrit :

  
L.M.J. a écrit :
    
Hi, once again ;)

  I would like to monitor the HA cluster between 2 Checkpoint Firewall.

  Several time a month, the cluster failed down, sound like one of the
numerous Ethernet card seems to be off during a couple of second, thus
the HA cluster switch to safe mode. I would like to detect this nasty
state from the Hobbit server to broadcast an alarm.

    
you have some commands that need to be parsed to do so.
try "cphaprob -a if" and "cphaprob state".
    
  I don't know how the 2 Firewalls exchange health information (maybe via
Heartbeat). Anyone already figure out how to monitor this issue?
    
      
they exchange information via heartbeat.
you can set up on smartdashboard the "fail over" tracking option.
the main difficulty in my opinion is to be sure your monitoring will 
also work if the HA
priority changes.
    
Hi pkc_mls,

  If you suggest to parse some command, I guess you mean to install Hobbit Client on the CheckPoint linux
firewalls which sound like not supported by CP (+ I guess my colleague, directly responsible of the FW, will
be able disagree :-/)
  
that's true.
the client for rhel3 works flawlessly on my splat ngx r62.

I rebuilt a static version for splat, but this is a tar.gz archive, not 
a clean rpm.
quoted from L.M.J
  Gonna first check out the Checkpoint SPLAT devmon template (thanks Michael)

  Thanks you very much guys,

   CU
list Michael A. Price · Mon, 28 Apr 2008 12:07:04 -0400 · 
I have a hobbit client running on my R65 SPLAT systems with no problem's. I
statically compiled RHE7.2 hobbit client last year with the libraries and it
works great.

Let me know if you need a copy.

Thanks, michael

P.S. - Just don't tell Checkpoint ;-)
quoted from Pkc_mls


On 4/28/08 11:44 AM, "pkc_mls" <user-06f34394900f@xymon.invalid> wrote:

L.M.J a écrit :
Le Mon, 28 Apr 2008 09:33:09 +0200,
pkc_mls <user-06f34394900f@xymon.invalid> a écrit :

  
L.M.J. a écrit :
    
Hi, once again ;)

  I would like to monitor the HA cluster between 2 Checkpoint Firewall.

  Several time a month, the cluster failed down, sound like one of the
numerous Ethernet card seems to be off during a couple of second, thus
the HA cluster switch to safe mode. I would like to detect this nasty
state from the Hobbit server to broadcast an alarm.

          
you have some commands that need to be parsed to do so.
try "cphaprob -a if" and "cphaprob state".
    
  I don't know how the 2 Firewalls exchange health information (maybe via
Heartbeat). Anyone already figure out how to monitor this issue?
          
they exchange information via heartbeat.
you can set up on smartdashboard the "fail over" tracking option.
the main difficulty in my opinion is to be sure your monitoring will
also work if the HA
priority changes.
    
Hi pkc_mls,

  If you suggest to parse some command, I guess you mean to install Hobbit
Client on the CheckPoint linux
firewalls which sound like not supported by CP (+ I guess my colleague,
directly responsible of the FW, will
be able disagree :-/)
  
that's true.
the client for rhel3 works flawlessly on my splat ngx r62.

I rebuilt a static version for splat, but this is a tar.gz archive, not
a clean rpm.
  Gonna first check out the Checkpoint SPLAT devmon template (thanks Michael)

  Thanks you very much guys,

   CU
list Buchan Milne · Tue, 29 Apr 2008 10:00:23 +0200 ·
quoted from Michael A. Price
On Monday 28 April 2008 13:50:54 Michael A. Price wrote:
Some one posted a Checkpoint SPLAT devmon template and it works great, it
will monitor the cluster state for you.

Here is a copy..
I would like to add this to the devmon templates release, but I would prefer to have some contact who uses this template (we only have Cisco firewalls).

Also, it may be better to use the same test name as the PIX/ASA templates (which use "cluster", I note some of the other extensions from deadcat - e.g. the one for Sun Cluster - also use "cluster").

But, we should probably move discussion to the devmon list.

Regards,
Buchan
list L.M.J · Thu, 1 May 2008 08:22:30 +0200 · 
Le Mon, 28 Apr 2008 07:50:54 -0400,
quoted from Michael A. Price
"Michael A. Price" <user-d7d653acf808@xymon.invalid> a écrit :

Some one posted a Checkpoint SPLAT devmon template and it works great, it
will monitor the cluster state for you.

Here is a copy..

Thanks, michael
Incredible, it works perfectly! Thanks to all!

Last question for this time ;) How can i get CPU & Mem graphs activated, I just have the current state right
now. Is it possible to run devmon on SNMPV3 protocol ?

 Thanks
list L.M.J · Thu, 1 May 2008 10:53:08 +0200 · 
Le Thu, 1 May 2008 08:22:30 +0200,
quoted from L.M.J
"L.M.J" <user-78bb6d5d9024@xymon.invalid> a écrit :

Le Mon, 28 Apr 2008 07:50:54 -0400,
"Michael A. Price" <user-d7d653acf808@xymon.invalid> a écrit :

Some one posted a Checkpoint SPLAT devmon template and it works great, it
will monitor the cluster state for you.
Here is a copy..
Thanks, michael  
Incredible, it works perfectly! Thanks to all!

Last question for this time ;) How can i get CPU & Mem graphs activated, I just have the current state right
now. Is it possible to run devmon on SNMPV3 protocol ?

 Thanks
  LOL, i'm a liar, I still have extra questions : what about FW OneEdge CP (tiny appliance)?  Is it also
possible to monitor them via Devmon?
list Pkc_mls · Mon, 05 May 2008 10:06:04 +0200 ·
quoted from L.M.J
L.M.J a écrit :
  LOL, i'm a liar, I still have extra questions : what about FW OneEdge CP (tiny appliance)?  Is it also
possible to monitor them via Devmon? 
  
It should be, theoretically, but you have to deal with the sofaware mibs.
I doubt you'll have the same OIDs as in checkpoint MIBs.