CheckPoint ConfigSource (PoC)

Hi Chris,

Lauren has brought this to my attention also and I'm taking a look. My initial finding (testing on one device only so far) is that the 'show virtual-system all' command works, but that the device lists no virtual systems.

E.g., the discovery script gets an unparsed output like:

Quote

Last login: Sun Apr 10 16:11:48 2022 from xxx.xxx.xxx.xxx

You have logged into the system.
[(User)@(systemName):0]# clish
(systemName)> set clienv rows 0
(systemName)> show virtual-system all
Virtual systems list
VS ID       VS NAME                    
(systemName)> 

If you can point me (via Lauren) to a device where virtual systems definitely exist and should be found, I can follow up.

Cheers

Antony

Hi Chris,

Update, I think I've figured it, conceptually at least. This module was built specifically for those resources with virtual systems defined, as that is what my original customer had. Clearly this is not always the case, so, I've found the list of other available commands.

The good news is, this is possible and not particularly difficult.

I'll communicate further with Lauren rather than here.

Cheers

Antony

Updates...

In light of @ckong's comments above, I've made some changes.

The original DataSource is now renamed to Checkpoint_Virtual_Systems_Config_PoC

v1.1 is published with lmLocator: YJARHM

There is now a second DataSource for actual appliances, named Checkpoint_Firewall_Config_PoC.

v1.1 of this is Published with lmLocator: 2HKP9T

By default the appliance-specific DataSource, Checkpoint_Firewall_Config_PoC, runs only the "show configuration" command.

However, if you wish, you can add further commands by editing this line in the discovery script:

def commandsToShow = ['configuration'];

You can add any suitable commands into this list, e.g. you could make it:

def commandsToShow = ['configuration','route'];

...to additionally monitor routing tables for changes.

All commands in this list get checked against what the device says it supports (via a 'show \t' command to list all possibles). Erroneous / mis-spelled / non-existent commands will not create instances, but equally the ConfigSource will not tell you if you've made a mistake here.

Hi Antony,

We got 112 Checkpoint FW devices but only 82 have the backups as those 82 are listed under show devices with instances, 30 are not. Not sure why, any ideas? 

Thanks, Chris

Hey Chris,

Usually, if a ConfigSource has been applied for "a while" but discovered no instances, I would expect that to be down to credentials or the device refusing the SSH connection from the Collector's IP, so I would take a sample non-responsive Resource in LM and double-check the ssh.user/ssh.pass values against the device itself, and ensure the device's config isn't going to be blocking a port 22 connection from the Collector.

You can also use the "Test script" button within the ConfigSource definition page to select one of the non-responsive devices as a test (start with the Active Discovery script) to see what the Collector sees.

Also, if you run Active Discovery against a Resource, the Collector debug commands !adlist, suitably targeted to the Resource and/or ConfigSource name, and !adetail for the relevant discovery task ID, may show error message details.

Hope this helps!

Antony

If none of that gives any clues, I usually take the discovery script and run it in the Collector debug's !groovy function, targeting the device it's not working on. That way I can see the full output of the script, not just what LM can parse.

Hi Antony,

I tried this and run the script without errors but we are not getting the checkpoint fw config either.

Any suggestions do when the core version will be available?

Thanks, Chris

Hi Antony,

Thanks for looking into it.  Ours are actual appliances and if we can do > show configuration in clish then we should see the configs.

Chris