Wyndham Worldwide – CSIT

Information Security Operations

Network Security Operations

SOP-Technical Name: Health check for Indeni alerts

Pre-requisites
SSH access to the device(s) you need to perform the health checks.
Access to Smart dashboard, smart view monitor and smart view tracker.

Procedure
Following is the list of health checks which is recommended to be performed by analysts for Indeni
alerts on checkpoint firewalls in critical state.

1. Verify the current and past history of CPU & memory usage - Use the “top” command to check the
current CPU and memory usage. Monitor for few minutes to ensure that the CPU/ memory usage is
not shooting high (> 90%). If you notice high CPU usage, verify which specific process is consuming
more CPU usage to narrow down your investigation.

Document1 Page 1
 Wyndham Worldwide – CSIT
Information Security Operations
Network Security Operations

2. Use the command “free –m” to verify the active real memory and free real memory

Document1 Page 2
 Wyndham Worldwide – CSIT
Information Security Operations
Network Security Operations

3. On the smart view monitor, navigate to the section “system counters”. Click on “system history” or
“Firewall history” to review the CPU/virtual memory usage for duration of time period. Also check
if there are any intermittent CPU spikes.
4.

5. Check the CPU usage on the Smartview monitorGateway statusFirewallsSpecific

gatewaySystem Information.

6. Ensure the checkpoint & firewall process is running on the firewall. -We can use the commands
“cpwd_admin list” or “ps auxf “ to verify this.

Document1 Page 3
 Wyndham Worldwide – CSIT
Information Security Operations
Network Security Operations

7. Ensure that primary and secondary firewall is in active/standby state. - Use the “cphaprob”
command to verify that the cluster and cluster members are working properly. If there is any issue
with sync between the two firewalls, we can use the command “cphaprob list” to get more detailed
information about synchronization state and fwd process.

There is no Cluster Member on the firewall.

8. Verify the firewall logs to ensure there is no abnormal events Review the log messages stored in
/var/logs. We can also use the command “dmesg” to see the boot logs -

Document1 Page 4
 Wyndham Worldwide – CSIT
Information Security Operations
Network Security Operations

9. Check if all the interfaces on the firewall is up. Verify if there is any receive drops/errors on any of
the firewall interfaces.

Document1 Page 5
 Wyndham Worldwide – CSIT
Information Security Operations
Network Security Operations

10. Use the command “watch –d netstat –i” (Refreshes the data every 2 sec)

Document1 Page 6
 Wyndham Worldwide – CSIT
Information Security Operations
Network Security Operations

11. Verify if the disk space usage is normal.

12. Ensure we have optimal concurrent connections on both the Primary and Standby firewall.

13. Compare the value on both the primary and secondary firewall. If the value is unusually low on one
of the firewall, then it might be a problem.

14. Verify if the license is active on the firewall.

15. Check the smart view tracker and ensure if we are seeing the active logs for the active/primary
firewall.

Document1 Page 7
 Wyndham Worldwide – CSIT
Information Security Operations
Network Security Operations

16. Verify if the policy is available on the Checkpoint security gateway. Use the command “fw stat” to
check if the policy is available on the checkpoint security gateway. Also please make sure if this is
correct policy for that specific gateway.

17. Ensure if the firewall is not rebooted.

Post-requisites
Login to Indeni alerting system and check if the alerts are still active or if it is closed.
If this is a false alert, investigate why the Indeni alerting system is generating false positives.

Document1 Page 8