check_nwc_health
check_nwc_health copied to clipboard
lausser
Checkpoint Firewalls Changed Interface Description after R80.40 Upgrade
After upgrading a firewall from R80.30 to R80.40 we noticed that our traffic graphs don't show any data anmyore. To gather the interface's traffic, we run the plugin so it basically collects just all interfaces of the firewalls (unfiltered), Icinga2 pushes those performance data to InfluxDB and only in Grafana we then select certain data-streams (like eth1_traffic_in).
As far as we see, the interfaces are now presented different from the Checkpoint Firewalls - and it seems that check_nwc_health relies on the ifDescr and not the ifName. I'm not sure if that's by intention, a bug, or maybe even configurable to use ifName.
If I select/filter for "Intel Corporation I211 Gigabit Network Connection 2_traffic_in" I get the proper data out. But of course it would be nice if that would stay as "eth1" as it was before.
So far I did not find any way so influence the ifDescr value of those interfaces. The "comment" on the interface seems to have no influence and is properly shown in the output as Alias-Name (e.g. "WAN").
Verbose output of the interfaces:
root@monitor05:/usr/lib/nagios/plugins/contrib/libexec# ./check_nwc_health --hostname x.x.x.x --mode list-interfaces-detail -vv
000001 lo ________ unknown unknown
000002 Intel Corporation I211 Gigabit Network Connection 2 WAN unknown unknown
000003 Intel Corporation I211 Gigabit Network Connection 3 REDACTED unknown unknown
000004 Intel Corporation I211 Gigabit Network Connection 4 REDACTED unknown unknown
000005 Intel Corporation I211 Gigabit Network Connection 5 ________ unknown unknown
000006 Intel Corporation I211 Gigabit Network Connection 6 ________ unknown unknown
000007 Intel Corporation I211 Gigabit Network Connection 7 REDACTED unknown unknown
000008 eth3.13 ________ unknown unknown
000009 eth3.12 ________ unknown unknown
000010 eth2.105 REDACTED unknown unknown
000011 eth2.202 REDACTED unknown unknown
000012 eth2.43 REDACTED unknown unknown
000013 eth3.11 ________ unknown unknown
000014 eth2.106 REDACTED unknown unknown
[INTERFACESUBSYSTEM]
bootTime: 1598378184.43
duplicates: HASH(0x558d7526e598)
ifCacheLastChange: 1598429622
ifTableLastChange: 1598378184.43
interface_cache: HASH(0x558d75277df0)
info: checking interfaces
[INTERFACE_14]
ifAlias: REDACTED
ifDescr: eth2.106
ifIndex: 14
ifName: eth2.106
[INTERFACE_1]
ifAlias: ________
ifDescr: lo
ifIndex: 1
ifName: lo
[INTERFACE_2]
ifAlias: WAN
ifDescr: Intel Corporation I211 Gigabit Network Connection 2
ifIndex: 2
ifName: eth1
[INTERFACE_8]
ifAlias: ________
ifDescr: eth3.13
ifIndex: 8
ifName: eth3.13
(...)
[INTERFACE_11]
ifAlias: REDACTED
ifDescr: eth2.202
ifIndex: 11
ifName: eth2.202
[INTERFACE_3]
ifAlias: REDACTED
ifDescr: Intel Corporation I211 Gigabit Network Connection 3
ifIndex: 3
ifName: eth2
[INTERFACE_10]
ifAlias: REDACTED
ifDescr: eth2.105
ifIndex: 10
ifName: eth2.105
OK - have fun
checking interfaces
Unfortunately I did not run the same command to compare the output with a R80.30.
also see: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk168601
Symptoms
SNMP poll of OID IF-MIB::ifDescr after upgrade to R80.40 Gaia OS shows only the driver details: [Expert@GW:0]# snmpwalk -v 2c -c public localhost IF-MIB::ifDescr IF-MIB::ifDescr.1 = STRING: lo IF-MIB::ifDescr.2 = STRING: VMware VMXNET3 Ethernet Controller IF-MIB::ifDescr.3 = STRING: VMware VMXNET3 Ethernet Controller IF-MIB::ifDescr.4 = STRING: VMware VMXNET3 Ethernet Controller
SNMP poll of OID IF-MIB::ifDescr in a pre R80.40 Gaia OS shows the interface names: [Expert@GW:0]# snmpwalk -v 2c -c public localhost IF-MIB::ifDescr IF-MIB::ifDescr.1 = STRING: lo IF-MIB::ifDescr.2 = STRING: eth0 IF-MIB::ifDescr.3 = STRING: eth1 IF-MIB::ifDescr.4 = STRING: eth2 IF-MIB::ifDescr.5 = STRING: eth3 IF-MIB::ifDescr.6 = STRING: vpnt1
Cause
The output on R80.40 and higher versions has changed and polling ifDesc provides descriptive information of the interface (Such as driver).
Solution
Use SNMP OID IF-MIB::ifName to get interface names for Gaia OS R80.40 and after
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday d. 26. August 2020 kl. 10:24, Mario Rimann [email protected] wrote:
After upgrading a firewall from R80.30 to R80.40 we noticed that our traffic graphs don't show any data anmyore. To gather the interface's traffic, we run the plugin so it basically collects just all interfaces of the firewalls (unfiltered), Icinga2 pushes those performance data to InfluxDB and only in Grafana we then select certain data-streams (like eth1_traffic_in).
As far as we see, the interfaces are now presented different from the Checkpoint Firewalls - and it seems that check_nwc_health relies on the ifDescr and not the ifName. I'm not sure if that's by intention, a bug, or maybe even configurable to use ifName.
If I select/filter for "Intel Corporation I211 Gigabit Network Connection 2_traffic_in" I get the proper data out. But of course it would be nice if that would stay as "eth1" as it was before.
So far I did not find any way so influence the ifDescr value of those interfaces. The "comment" on the interface seems to have no influence and is properly shown in the output as Alias-Name (e.g. "WAN").
Verbose output of the interfaces:
root@monitor05:/usr/lib/nagios/plugins/contrib/libexec# ./check_nwc_health --hostname x.x.x.x --mode list-interfaces-detail -vv 000001 lo ________ unknown unknown 000002 Intel Corporation I211 Gigabit Network Connection 2 WAN unknown unknown 000003 Intel Corporation I211 Gigabit Network Connection 3 REDACTED unknown unknown 000004 Intel Corporation I211 Gigabit Network Connection 4 REDACTED unknown unknown 000005 Intel Corporation I211 Gigabit Network Connection 5 ________ unknown unknown 000006 Intel Corporation I211 Gigabit Network Connection 6 ________ unknown unknown 000007 Intel Corporation I211 Gigabit Network Connection 7 REDACTED unknown unknown 000008 eth3.13 ________ unknown unknown 000009 eth3.12 ________ unknown unknown 000010 eth2.105 REDACTED unknown unknown 000011 eth2.202 REDACTED unknown unknown 000012 eth2.43 REDACTED unknown unknown 000013 eth3.11 ________ unknown unknown 000014 eth2.106 REDACTED unknown unknown [INTERFACESUBSYSTEM] bootTime: 1598378184.43 duplicates: HASH(0x558d7526e598) ifCacheLastChange: 1598429622 ifTableLastChange: 1598378184.43 interface_cache: HASH(0x558d75277df0) info: checking interfaces [INTERFACE_14] ifAlias: REDACTED ifDescr: eth2.106 ifIndex: 14 ifName: eth2.106
[INTERFACE_1] ifAlias: ________ ifDescr: lo ifIndex: 1 ifName: lo
[INTERFACE_2] ifAlias: WAN ifDescr: Intel Corporation I211 Gigabit Network Connection 2 ifIndex: 2 ifName: eth1
[INTERFACE_8] ifAlias: ________ ifDescr: eth3.13 ifIndex: 8 ifName: eth3.13
(...)
[INTERFACE_11] ifAlias: REDACTED ifDescr: eth2.202 ifIndex: 11 ifName: eth2.202
[INTERFACE_3] ifAlias: REDACTED ifDescr: Intel Corporation I211 Gigabit Network Connection 3 ifIndex: 3 ifName: eth2
[INTERFACE_10] ifAlias: REDACTED ifDescr: eth2.105 ifIndex: 10 ifName: eth2.105
OK - have fun checking interfaces
Unfortunately I did not run the same command to compare the output with a R80.30.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.
@lausser I'm currently working on a fix for this, based on an old PR (#111). Basically this adds an option "--iflabel" that decides which of (ifName, ifDescr, ifAlias) is used to label an interface.
Just came across this behaviour as well, after Checkpoint appliances were upgraded from R80.30 to R81.10. We were able to use the short name (e.g. eth1-02) before, since the upgrade this interface is not found anymore.
$ /usr/lib/nagios/plugins/check_nwc_health --hostname CPFirewall --protocol 3 --username snmpuser --authpassword secret --authprotocol sha --mode list-interfaces-detail
000001 lo ________ unknown unknown
000002 Intel Corporation Ethernet Controller X710 for 10GbE SFP+ 2 ________ unknown unknown
000003 Intel Corporation Ethernet Controller X710 for 10GbE SFP+ 3 ________ unknown unknown
000004 Intel Corporation I350 Gigabit Network Connection 4 ________ unknown unknown
000005 Intel Corporation Ethernet Controller X710 for 10GbE SFP+ 5 ________ unknown unknown
000006 Intel Corporation Ethernet Controller X710 for 10GbE SFP+ 6 ________ unknown unknown
000007 Intel Corporation I350 Gigabit Network Connection 7 ________ unknown unknown
000008 Intel Corporation I350 Gigabit Network Connection 8 ________ unknown unknown
000009 Intel Corporation I350 Gigabit Network Connection 9 ________ unknown unknown
000010 Intel Corporation I350 Gigabit Network Connection 10 ________ unknown unknown
000011 Intel Corporation Ethernet Controller X710 for 10GbE SFP+ 11 ________ unknown unknown
000012 Intel Corporation I350 Gigabit Network Connection 12 ________ unknown unknown
000013 Intel Corporation I350 Gigabit Network Connection 13 ________ unknown unknown
000014 Intel Corporation I350 Gigabit Network Connection 14 ________ unknown unknown
000015 Intel Corporation I350 Gigabit Network Connection 15 ________ unknown unknown
000016 Intel Corporation I350 Gigabit Network Connection 16 ________ unknown unknown
000017 Intel Corporation Ethernet Controller X710 for 10GbE SFP+ 17 ________ unknown unknown
000018 Intel Corporation Ethernet Controller X710 for 10GbE SFP+ 18 ________ unknown unknown
000019 Intel Corporation Ethernet Controller X710 for 10GbE SFP+ 19 ________ unknown unknown
000020 gre0 ________ unknown unknown
000021 gretap0 ________ unknown unknown
000040 bond0 ________ unknown unknown
000041 bond1 ________ unknown unknown
OK - have fun
The reason seems to be, as @henriknoerr mentioned, that the newer Gaia version uses another way to fill the "ifDescr" field.
[64BIT_9]
delta_ifHCInOctets: 315317
delta_ifHCOutOctets: 8539674
delta_ifInBits: 2522536
delta_ifOutBits: 68317392
delta_timestamp: 156
ifAlias: eth1-02
ifDescr: Intel Corporation I350 Gigabit Network Connection 9
ifHCInOctets: 575352239
ifHCInOctets_per_sec: 2021.26282051282
ifHCOutOctets: 18116600052
ifHCOutOctets_per_sec: 54741.5
ifHighSpeed: 1000
ifInOctets: 575352239
ifIndex: 9
ifName: eth1-02
ifOperStatus: up
ifOutOctets: 936730868
ifSpeed: 1000000000
inputRate: 16170.1025641026
inputUtilization: 0.00161701025641026
maxInputRate: 1000000000
maxOutputRate: 1000000000
outputRate: 437932
outputUtilization: 0.0437932
info: interface Intel Corporation I350 Gigabit Network Connection 9 (alias eth1-02) usage is in:0.00% (16170.10bit/s) out:0.04% (437932.00bit/s)
$ /usr/lib/nagios/plugins/check_nwc_health --hostname CPFirewall --protocol 3 --username snmpuser --authpassword secret --authprotocol sha --mode interface-usage --name "eth1-02"
UNKNOWN - no interfaces
