Monitoring Device Status

The Gateways & Servers view in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. contains 6 views of the status of the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and all the devices it manages.

• General - Provides general information about all devices.

• Health - Provides information about the health or operational status of each device.

• Traffic - Provides information about the volume of network traffic which passes through a specific device

• Access Control - Provides information about the Access Control blades and Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. information for each device.

• Threat Prevention - Provides information about the Threat Prevention blades and policy for each device.

• Management - Provides information about the management blades for each device.

• Licenses - Provides information about the licenses of the device and Software Blades enabled on the device.

The General view is the default view. To change the view, go to the top-left corner of the Gateways & Servers view > Columns, and from the drop-down menu, select the required view.

Device Status

The status updates of a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. reflect the status of the Software Blades. For example, if statuses of all the Software Blades are OK, except for the SmartEvent blade, which has a Problem status, the overall status is Problem. You can see the statuses of the Security Gateways both in the Gateways & Servers view in SmartConsole and in SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings.. To see the status updates of Security Gateways in SmartDashboard, in the Logs & Monitor view, go to External Apps, and click Tunnel and User Monitoring. This table summarizes the Security Gateway statuses:

Status Icon	Description
OK	The Security Gateway and all its Software Blades work properly.
Attention	At least one Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. has a minor issue, but the Security Gateway works.
Problem	At least one Software Blade reported a malfunction, or an enabled Software Blade is not installed.
Waiting	SmartView Monitor waits for the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. to send data from Security Gateways.
Disconnected	Cannot reach the Security Gateway.
Untrusted	Cannot make Secure Internal Communication between the Security Management Server and the Security Gateway.

Displaying Gateway Data

You can see detailed information about each Check Point Security Gateway or OPSEC Gateway.

To see data about a gateway:

1. In SmartConsole, go to the Logs & Monitor view.

2. At the bottom section of the view, go to External Apps, and select Tunnel & User Monitoring.

   The Check Point SmartView Monitor opens.

3. Go to Gateway Status > Firewalls.

   The Firewalls view displays general information about each Security Gateway.

4. For system information, click System Information.

5. For more information about a specific Software Blade, click the relevant Software Blade

System Data

• OS Information - The name, the version name/number, the build number, the service pack, and any additional information about the Operating System in use.

• CPU - The specific CPU parameters (for example, Idle, User, Kernel, and Total) for each CPU.
  Note - In the Gateways Results view the Average CPU indicates the average total CPU usage of all existing CPOS.

• Memory - The total amount of virtual memory, what percentage of this total is used. The total amount of real memory, what percentage of this total is used, and the amount of real memory available for use.

• Disk - Shows all the disk partitions and their specific details (for example, capacity, used, and free).
  Note - In the Gateways Results view the percentage/total of free space in the hard disk on which the Firewall is installed. For example, if there are two hard drives C and D and the Firewall is on C, the Disk Free percentage represents the free space in C and not D.

To view the status of Check Point applications on the local server or another appliance, the cpstat command. For more information, see the R81 CLI Reference Guide - Chapter Security Gateway Commands - Section cpstat.

Firewall

• Policy information - The name of the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. installed on the Security Gateway, and the date and time that this policy was installed.

• Packets - The number of packets accepted, dropped and logged by the Security Gateway.

• UFP Cache performance - The hit ratio percentage and the total number of hits handled by the cache, the number of connections inspected by the UFP Server.

• Hash Kernel Memory (the memory status) and System Kernel Memory (the OS memory) - The total amount of memory allocated and used. The total amount of memory blocks used. The number of memory allocations, and those allocation operations which failed. The number of times that the memory allocation freed up, or failed to free up. The NAT Cache, including the total amount of hits and misses.

Virtual Private Networks

The Virtual Private Networks (VPN) is divided into these main statuses:

• Current represents the current number of active output.

• High Watermark represents the maximum number of current output

• Accumulative data represents the total number of the output.

This includes:

• Active Tunnels - All types of active VPN peers to which there is currently an open IPsec tunnel. This is useful to track the activity level of the VPN Security Gateway. High Watermark includes the maximum number of VPN peers for which there was an open IPsec tunnel since the Security Gateway was restarted.

• Remote Access - All types of Remote Access VPN users with which there is currently an open IPsec tunnel. This is useful to track the activity level and load patterns of VPN Security Gateways that serve as a remote access server. High Watermark includes the maximum number of Remote Access VPN users with which there was an open IPsec tunnel since the Security Gateway was restarted.

• Tunnels Establishment Negotiation - The current rate of successful Phase I IKE Negotiations (measured in Negotiations per second). This is useful to track the activity level and load patterns of a VPN Gateway that serve as a remote access server. High Watermark includes the highest rate of successful Phase I IKE Negotiations since the Policy was installed (measured in Negotiations per second). Accumulative data includes the total number of successful Phase I IKE negotiations since the Policy was installed.

• Failed - The current failure rate of Phase I IKE Negotiations can be used to troubleshoot (for instance, denial of service) or for a heavy load of VPN remote access connections. High Watermark includes the highest rate of failed Phase I IKE negotiations since the Policy was installed. Accumulative is the total number of failed Phase I IKE negotiations since the Policy was installed.

• Concurrent - The current number of concurrent IKE negotiations. This is useful to track the behavior of VPN connection initiation, especially in large deployments of remote access VPN scenarios. High Watermark includes the maximum number of concurrent IKE negotiations since the Policy was installed.

• Encrypted and Decrypted throughput - The current rate of encrypted or decrypted traffic (measured in Mbps). Encrypted or decrypted throughput is useful (in conjunction with encrypted or decrypted packet rate) to track VPN usage and VPN performance of the Security Gateway. High Watermark includes the maximum rate of encrypted or decrypted traffic (measured in Mbps) since the Security Gateway was restarted. Accumulative includes the total encrypted or decrypted traffic since the Security Gateway was restarted (measured in Mbps).

• Encrypted and Decrypted packets - The current rate of encrypted or decrypted packets (measured in packets per second). Encrypted or decrypted packet rate is useful (in conjunction with encrypted/decrypted throughput) to track VPN usage and VPN performance of the Security Gateway. High Watermark includes the maximum rate of encrypted or decrypted packets since the Security Gateway was restarted, and Accumulative, the total number of encrypted packets since the Security Gateway was restarted.

• Encryption and Decryption errors - The current rate at which errors are encountered by the Security Gateway (measured in errors per second). This is useful to troubleshoot VPN connectivity issues. High Watermark includes the maximum rate at which errors are encountered by the Security Gateway (measured in errors per second) since the Security Gateway was restarted, and the total number of errors encountered by the Security Gateway since the Security Gateway was restarted.

• Hardware - The name of the VPN Accelerator Vendor, and the status of the Accelerator. General errors such as the current rate at which VPN Accelerator general errors are encountered by the Security Gateway (measured in errors per second). The High Watermark includes the maximum rate at which VPN Accelerator general errors are encountered by the Security Gateway (measured in errors per second) since the Security Gateway was restarted. The total number of VPN Accelerator general errors encountered by the Security Gateway since it was restarted.

• IP Compression - Compressed/Decompressed packets statistics and errors.

QoS

• Policy information - The name of the QoS Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency. Policy and the date and time that it was installed.

• Number of interfaces - The number of interfaces on the Check Point QoS Security Gateway. Information about the interfaces applies to both inbound and outbound traffic. This includes the maximum and average amount of bytes that pass per second, and the total number of conversations, where conversations are active connections and connections that are anticipated as a result of prior inspection. Examples are data connections in FTP, and the "second half" of UDP connections.

• Packet and Byte information - The number of packets and bytes in Check Point QoS queues.

ClusterXL

• Gateway working mode - The Security Gateway works mode as a Cluster Member Security Gateway that is part of a cluster. (Active or not), and its place in the priority sequence. Working modes are: ClusterXL, Load Sharing, Sync only. Running modes: Active, Standby, Ready, and Down.

• Interfaces - Interfaces recognized by the Security Gateway. The interface data includes the IP Address and status of the specified interface, if the connection that passes through the interface is verified, trusted or shared.

• Problem Notes - Descriptions of the problem notification device such as its status, priority and when the status was last verified.

OPSEC

• The version name or number, and build number of the Check Point OPSEC SDK and OPSEC product. The time it takes (in seconds) since the OPSEC Gateway is up and running.

• The OPSEC vendor can add fields to their OPSEC Application Gateway details.

Check Point Security Management

• The synchronization status indicates the status of the peer Security Management Servers in relation to that of the selected Security Management Server. View this status in the Management High Availability Servers window, if you are connected to the Active or Standby Security Management Server. The possible synchronization statuses are:

  • Never been synchronized - Immediately after the Secondary Security Management Server was installed, it did not undergo with the first manual synchronization. This synchronization brings it up to date with the Primary Management.

  • Synchronized - The peer is synchronized correctly and has the same database information and installed Security Policy.

  • Collision - The active Security Management Server and its peer have different installed policies and databases. The administrator must do manual synchronization and decide which of the Security Management Servers to overwrite.

• Clients - The number of connected clients on the Security Management Server, the name of the SmartConsole, the administrator that manages the SmartConsole, the name of the SmartConsole host, the name of the locked database, and the type of SmartConsole application.

SmartEvent Correlation Unit and the SmartEvent Server

SmartView Monitor reads statuses from the SmartEvent Correlation Unit SmartEvent software component on a SmartEvent Server that analyzes logs and detects events. and SmartEvent Server Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database..

SmartEvent Correlation Unit status examples:

• Is the SmartEvent Correlation Unit active or inactive

• Is the SmartEvent Correlation Unit connected to the SmartEvent Server

• Is the SmartEvent Correlation Unit connected to the Log Server Dedicated Check Point server that runs Check Point software to store and process logs.

• SmartEvent Correlation Unit and Log Server connection status

• Offline job status

• Lack of disk space status

SmartEvent Server status examples:

• Last handle event Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. time

• Is the SmartEvent Server active or inactive

• A list of SmartEvent Correlation Unit the SmartEvent Server is connected to

• How many events arrived in a specified time period

Connect the SmartEvent Correlation Unit to the Log Server to read logs. Connect it to the SmartEvent Server to send events. If problems occur in the SmartEvent Correlation Unit connection to other components (for example, SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. problems) the problems are reported in the SmartEvent Correlation Unit status.

For the same reasons, the SmartEvent Server contains statuses that provide information about connections to all SmartEvent Correlation Unit.

Anti-Virus and URL Filtering

SmartView Monitor can now provide statuses and counters for Security Gateways with enabled Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. and URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF..

The statuses are divided into these categories:

• Current Status

• Update Status (for example, when was the signature update last checked)

Anti-Virus statuses are associated with signature checks and URL Filtering statuses are associated with URLs and categories.

In addition, SmartView Monitor can now run Anti-Virus and URL Filtering counters.

For example:

• Top five attacks in the last hour

• Top 10 attacks since last reset

• Top 10 http attacks in the last hour

• HTTP attacks general info

Multi-Domain Security Management

SmartView Monitor can be used to monitor Multi-Domain Servers. This information can be viewed in the Gateway Status view. In this view you can see Multi-Domain Security Management counter information (for example, CPU or Overall Status).

The 'cpstat' Command

Description

Displays the status and statistics information of Check Point applications.

Syntax

cpstat [-d] [-h <Host>] [-p <Port>] [-s <SICname>] [-f <Flavor>] [-o <Polling Interval> [-c <Count>] [-e <Period>]] <Application Flag>

Note - You can write the parameters in the syntax in any order.

For more information, see the R81 CLI Reference Guide - Chapter Security Gateway Commands - Section cpstat.

Starting and Stopping Cluster Members

To stop and start one member of a cluster from SmartView Monitor:

1. Open a Gateway Status view.

2. Right-click the cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. member and select Cluster Member > Start Member or Stop Member.