Low Identity Awareness User Count-f5-all

Low Identity Awareness User Count-f5-all

Vendor: f5

OS: all

Description:
Indeni can identify if the current Identity Awareness User Count is below acceptable levels during active hours.

Remediation Steps:
Please review the following article to determine the root cause behind the low count: http://downloads.checkpoint.com/dc/download.htm?ID=12625. Otherwise, contact your Check Point technical support provider. If the threshold is too sensitive, please request for the Indeni threshold to be modified as necessary.

How does this work?
Indeni logs in over SSH and executes “tmsh -q list sys ntp”. The output is then parsed for the configured timezone.

Why is this important?
A correct time and time zone is very important for many reasons. An incorrectly configured time zone could mean that timestamps on logs are incorrect. Indeni will identify when two devices are part of a cluster and alert if the timezone setting is different.

Without Indeni how would you find this?
An administrator could login to the unit through SSH, enter TMSH and issue the command “list sys ntp” to see the configured timezone. This information is also availble through the Web Interface by navigating to “System” -> “Platform”.

f5-tmsh-list-sys-ntp

name: f5-tmsh-list-sys-ntp
description: Get the configured NTP servers and timezone
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: f5
    product: load-balancer
    linux-based: 'true'
    shell: bash
comments:
    ntp-servers:
        why: |
            Not having an NTP server configured could make the clock slowly drift, which makes log entries and other information harder to summarize between devices. If the clock drifts very far out, there could also be issues with validating certificates.
        how: |
            Indeni logs in over SSH and executes "tmsh -q list sys ntp". The output is then parsed for any ntp server configuration.
        without-indeni: |
            An administrator could login to the unit through SSH, enter TMSH and issue the command "list sys ntp" to see the configured NTP servers. This information is also availble through the Web Interface by navigating to "System" -> "Configuration" -> "Device" -> "NTP".
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: |
            This information is available via both TMSH and the Web Interface.
    timezone:
        why: |
            A correct time and time zone is very important for many reasons. An incorrectly configured time zone could mean that timestamps on logs are incorrect. Indeni will identify when two devices are part of a cluster and alert if the timezone setting is different.
        how: |
            Indeni logs in over SSH and executes "tmsh -q list sys ntp". The output is then parsed for the configured timezone.
        without-indeni: |
            An administrator could login to the unit through SSH, enter TMSH and issue the command "list sys ntp" to see the configured timezone. This information is also availble through the Web Interface by navigating to "System" -> "Platform".
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: This information is available via both TMSH and
            the Web Interface.
steps:
-   run:
        type: SSH
        command: tmsh -q list sys ntp
    parse:
        type: AWK
        file: tmsh-list-sys-ntp.parser.1.awk

number_of_awareness_users_too_low

package com.indeni.server.rules.library.core
import com.indeni.apidata.time.TimeSpan.TimePeriod
import com.indeni.ruleengine.expressions.OptionalExpression
import com.indeni.ruleengine.expressions.casting.date.{DayRangeParseExpression, StartOfTheDayExpression}
import com.indeni.ruleengine.expressions.conditions.{And, GreaterThanOrEqual, LesserThanOrEqual}
import com.indeni.ruleengine.expressions.core.{EMPTY_STRING, StatusTreeExpression}
import com.indeni.ruleengine.expressions.data._
import com.indeni.ruleengine.expressions.math.PlusExpression
import com.indeni.server.common.data.conditions.True
import com.indeni.server.params.ParameterDefinition
import com.indeni.server.params.ParameterDefinition.UIType
import com.indeni.server.rules.config.expressions.DynamicParameterExpression
import com.indeni.server.rules.library.{ConditionalRemediationSteps, PerDeviceRule, RuleHelper}
import com.indeni.server.rules.{DeviceKey, RuleContext, RuleMetadata, _}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class NumberOfIdentityAwarenessUsersTooLowRule() extends PerDeviceRule with RuleHelper {

  private[library] val LowThresholdParameterName = "identity_awareness_users_minimum"
  private val lowThresholdParameter = new ParameterDefinition(
    LowThresholdParameterName,
    "",
    "Minimum Amount of users Threshold",
    "How many minimum users are logged in",
    UIType.INTEGER,
    0
  )

  private val dayRangesParameterName = "day_ranges_whitelist"
  private val dayRangesParameter = new ParameterDefinition(
    dayRangesParameterName,
    "",
    "Day Ranges (Whitelist)",
    "Enter the list of dayRanges that should be checked, each one on its own line according to the following format:\n" +
      "\"DAY,HH:MM,HH:MM\".\n" +
      "Indeni will alert if the numbers of users is equal or lower than the threshold only during those times.",
    UIType.MULTILINE_TEXT,
    ""
  )

  override val metadata: RuleMetadata = RuleMetadata
    .builder(
      "number_of_awareness_users_too_low",
      "Low Identity Awareness User Count",
      "Indeni can identify if the current Identity Awareness User Count is below acceptable levels during active hours.",
      AlertSeverity.ERROR,
      categories= Set(RuleCategory.HealthChecks),
      deviceCategory = DeviceCategory.CheckPointDevices
    )
    .configParameters(lowThresholdParameter, dayRangesParameter)
    .build()

  override def expressionTree(context: RuleContext): StatusTreeExpression = {
    val actualValue = TimeSeriesExpression[Double]("identity-awareness-users-actual").last
    val date = TimeSeriesExpression[Double]("current-datetime").last.toTimeSpan(TimePeriod.MILLISECOND)
    val threshold: OptionalExpression[Double] = getParameterDouble(lowThresholdParameter)
    val dayRanges = DynamicParameterExpression.withConstantDefault(dayRangesParameterName, Seq[String]())
    val timezone =
      SingleSnapshotExtractExpression(SnapshotExpression("timezone").asSingle().mostRecent().value(), "value")

    StatusTreeExpression(
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),
      StatusTreeExpression(
        SelectTimeSeriesExpression[Double](context.tsDao,
                                           Set("identity-awareness-users-actual", "current-datetime"),
                                           denseOnly = false),
        And(
          StatusTreeExpression(
            SelectSnapshotsExpression(context.snapshotsDao, Set("timezone")).single(),
            And(
              GreaterThanOrEqual(
                date,
                PlusExpression(
                  StartOfTheDayExpression(date, timezone),
                  DayRangeParseExpression(date, timezone, dayRanges, upper = false),
                )
              ),
              GreaterThanOrEqual(
                PlusExpression(
                  DayRangeParseExpression(date, timezone, dayRanges, upper = true),
                  StartOfTheDayExpression(date, timezone)
                ),
                date
              )
            )
          ).withSecondaryInfo(
            scopableStringFormatExpression("Actual value: %.0f, Threshold: %.0f", actualValue, threshold),
            EMPTY_STRING,
            "User Count",
          ).asCondition(),
          LesserThanOrEqual(actualValue, threshold)
        )
      ).withRootInfo(
          getHeadline(),
            scopableStringFormatExpression("The current Identity Awareness User Count is below acceptable levels during active hours. Generally, this indicates that the gateway's ability to communicate with the Active Directory is down and should be investigated."),
          ConditionalRemediationSteps(
            "Please review the following article to determine the root cause behind the low count: http://downloads.checkpoint.com/dc/download.htm?ID=12625. Otherwise, contact your Check Point technical support provider. If the threshold is too sensitive, please request for the Indeni threshold to be modified as necessary.")
        )
        .asCondition()
    ).withoutInfo()
  }

}