CME Monitoring

CME is integrated with Check Point logs to improve logging and monitoring.

Prerequisites

• CME Take 178 or higher installed on the Security Management or Multi-Domain Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.. Run this command in Expert mode to verify the Take:

  autoprov_cfg -v

• CME Take 51 or higher installed on the Security Management or Multi-Domain Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.. Run this command in Expert mode to verify the take:

  autoupdatercli show | grep -A 6 Infra_AutoUpdate

To monitor CME logs, use one of these options:

• Filter the logs in the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. with this query syntax: blade:"CME"

• Configure Log Exporter to export all logs that belong to CME Blade.

  See the Logging and Monitoring R81.10 Administration Guide > Log Exporter > Configuring Log Exporter in CLI > Log Exporter Advanced Configuration in CLI for more information.

  For example on how to export CME logs to Splunk log server, run in Expert mode:

  cp_log_export add name <exporter name> target-server <log server IP> target-port <log server port> protocol tcp format splunk filter-blade-in CME

Note - In Multi-Domain Security Management environment, logs are displayed with respect to the environment, which means the domain’s logs are displayed in the domain’s console.

Log description:

Category	Description
General events	CME general information such as service start/stop and configuration changes (MDS global level only).
Autoscale-Group related events	Cloud account information such as scale-in/out success or failure.
Autoprovision process events	Provisioning Check Point Software Blade on a Management Server that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: SmartProvisioning, SmartLSM, Large-Scale Management, LSM. information such as add/remove gateway instance success or failure.

Integration Events & AIOps

CME can integrate with Events & AIOps (formerly Infinity AIOps) in the Check Point Portal to provide centralized visibility of operational metrics and alerts for supported Check Point assets, including CloudGuard management components.

Onboarding and Requirements

Before you onboard to Events & AIOps, make sure that your environment meets the prerequisites for supported assets and versions. Then connect your Security Management Server to your Check Point Portal tenant and complete the Events & AIOps onboarding flow.

For prerequisites, supported assets and versions, onboarding steps, and limitations, see the Events & AIOps Administration Guide (refer to the section Onboarding AIOps (Automatic Mode)).

Limitation

Multi-Domain Security Management Server (MDS) is not supported in AIOps

View CME-Related Metrics

After onboarding, you can view CME-related Cloud Firewall information in the Check Point Portal:

1. In the Check Point Portal menu, go to Hybrid Mesh Network Security > Events & AIOps.

2. Go to AIOps > Asset Dashboard.

3. Select the relevant asset from the list at the top.

4. Open the CloudGuard tab to view Cloud Firewall widgets. These widgets include CME health, Accounts Status, and Scale Events.

Note - For details on the Asset Dashboard and available Cloud Firewall widgets, see the AIOps Asset Dashboard section in the Events & AIOps Administration Guide

View CME Alerts

To view alerts for monitored assets, go to AIOps > Alerts in Events & AIOps.

Available CME Alerts in Events & AIOps

• CME service stopped

  This alert indicates that CME is not running on the Management Server. This can occur when the service has stopped or is not responding.

• Cloud account connection failure

  This alert indicates that CME cannot connect to one of the configured cloud accounts or controllers. This can be caused by authentication issues, network reachability problems, or API access issues.

• Scale event failed

  This alert indicates that a scale-out or scale-in event occurred, but CME failed to complete the required provisioning or removing steps for the gateway instance.

• Azure Virtual WAN provisioning failed

  This alert indicates that CMEfailed during an Azure Virtual WAN-related provisioning workflow.

• Management API communication failure

  This alert indicates that CME failed to complete an operation due to a Management API error.

Note - For more details about alert structure, see the "AIOps Alerts" section in the Events & AIOps Administration Guide