Beruflich Dokumente
Kultur Dokumente
Pre-requisites
SSH access to the device(s) you need to perform the health checks.
Access to Smart dashboard, smart view monitor and smart view tracker.
Procedure
Following is the list of health checks which is recommended to be performed by analysts for Indeni
alerts on checkpoint firewalls in critical state.
1. Verify the current and past history of CPU & memory usage - Use the “top” command to check the
current CPU and memory usage. Monitor for few minutes to ensure that the CPU/ memory usage is
not shooting high (> 90%). If you notice high CPU usage, verify which specific process is consuming
more CPU usage to narrow down your investigation.
Document1 Page 1
Wyndham Worldwide – CSIT
Information Security Operations
Network Security Operations
2. Use the command “free –m” to verify the active real memory and free real memory
Document1 Page 2
Wyndham Worldwide – CSIT
Information Security Operations
Network Security Operations
3. On the smart view monitor, navigate to the section “system counters”. Click on “system history” or
“Firewall history” to review the CPU/virtual memory usage for duration of time period. Also check
if there are any intermittent CPU spikes.
4.
6. Ensure the checkpoint & firewall process is running on the firewall. -We can use the commands
“cpwd_admin list” or “ps auxf “ to verify this.
Document1 Page 3
Wyndham Worldwide – CSIT
Information Security Operations
Network Security Operations
7. Ensure that primary and secondary firewall is in active/standby state. - Use the “cphaprob”
command to verify that the cluster and cluster members are working properly. If there is any issue
with sync between the two firewalls, we can use the command “cphaprob list” to get more detailed
information about synchronization state and fwd process.
8. Verify the firewall logs to ensure there is no abnormal events Review the log messages stored in
/var/logs. We can also use the command “dmesg” to see the boot logs -
Document1 Page 4
Wyndham Worldwide – CSIT
Information Security Operations
Network Security Operations
9. Check if all the interfaces on the firewall is up. Verify if there is any receive drops/errors on any of
the firewall interfaces.
Document1 Page 5
Wyndham Worldwide – CSIT
Information Security Operations
Network Security Operations
10. Use the command “watch –d netstat –i” (Refreshes the data every 2 sec)
Document1 Page 6
Wyndham Worldwide – CSIT
Information Security Operations
Network Security Operations
12. Ensure we have optimal concurrent connections on both the Primary and Standby firewall.
13. Compare the value on both the primary and secondary firewall. If the value is unusually low on one
of the firewall, then it might be a problem.
15. Check the smart view tracker and ensure if we are seeing the active logs for the active/primary
firewall.
Document1 Page 7
Wyndham Worldwide – CSIT
Information Security Operations
Network Security Operations
16. Verify if the policy is available on the Checkpoint security gateway. Use the command “fw stat” to
check if the policy is available on the checkpoint security gateway. Also please make sure if this is
correct policy for that specific gateway.
Post-requisites
Login to Indeni alerting system and check if the alerts are still active or if it is closed.
If this is a false alert, investigate why the Indeni alerting system is generating false positives.
Document1 Page 8