Checkpoint Firewalls Changed Interface Description after R80.40 Upgrade

[mrimann]

After upgrading a firewall from R80.30 to R80.40 we noticed that our traffic graphs don't show any data anmyore. To gather the interface's traffic, we run the plugin so it basically collects just all interfaces of the firewalls (unfiltered), Icinga2 pushes those performance data to InfluxDB and only in Grafana we then select certain data-streams (like eth1_traffic_in).

As far as we see, the interfaces are now presented different from the Checkpoint Firewalls - and it seems that check_nwc_health relies on the ifDescr and not the ifName. I'm not sure if that's by intention, a bug, or maybe even configurable to use ifName.

If I select/filter for "Intel Corporation I211 Gigabit Network Connection 2_traffic_in" I get the proper data out. But of course it would be nice if that would stay as "eth1" as it was before.

So far I did not find any way so influence the ifDescr value of those interfaces. The "comment" on the interface seems to have no influence and is properly shown in the output as Alias-Name (e.g. "WAN").

Verbose output of the interfaces:

root@monitor05:/usr/lib/nagios/plugins/contrib/libexec# ./check_nwc_health --hostname x.x.x.x --mode list-interfaces-detail -vv
000001 lo ________ unknown unknown
000002 Intel Corporation I211 Gigabit Network Connection 2 WAN unknown unknown
000003 Intel Corporation I211 Gigabit Network Connection 3 REDACTED unknown unknown
000004 Intel Corporation I211 Gigabit Network Connection 4 REDACTED unknown unknown
000005 Intel Corporation I211 Gigabit Network Connection 5 ________ unknown unknown
000006 Intel Corporation I211 Gigabit Network Connection 6 ________ unknown unknown
000007 Intel Corporation I211 Gigabit Network Connection 7 REDACTED unknown unknown
000008 eth3.13 ________ unknown unknown
000009 eth3.12 ________ unknown unknown
000010 eth2.105 REDACTED unknown unknown
000011 eth2.202 REDACTED unknown unknown
000012 eth2.43 REDACTED unknown unknown
000013 eth3.11 ________ unknown unknown
000014 eth2.106 REDACTED unknown unknown
[INTERFACESUBSYSTEM]
bootTime: 1598378184.43
duplicates: HASH(0x558d7526e598)
ifCacheLastChange: 1598429622
ifTableLastChange: 1598378184.43
interface_cache: HASH(0x558d75277df0)
info: checking interfaces
[INTERFACE_14]
ifAlias: REDACTED
ifDescr: eth2.106
ifIndex: 14
ifName: eth2.106

[INTERFACE_1]
ifAlias: ________
ifDescr: lo
ifIndex: 1
ifName: lo

[INTERFACE_2]
ifAlias: WAN
ifDescr: Intel Corporation I211 Gigabit Network Connection 2
ifIndex: 2
ifName: eth1

[INTERFACE_8]
ifAlias: ________
ifDescr: eth3.13
ifIndex: 8
ifName: eth3.13

(...)

[INTERFACE_11]
ifAlias: REDACTED
ifDescr: eth2.202
ifIndex: 11
ifName: eth2.202

[INTERFACE_3]
ifAlias: REDACTED
ifDescr: Intel Corporation I211 Gigabit Network Connection 3
ifIndex: 3
ifName: eth2

[INTERFACE_10]
ifAlias: REDACTED
ifDescr: eth2.105
ifIndex: 10
ifName: eth2.105


OK - have fun
checking interfaces

Unfortunately I did not run the same command to compare the output with a R80.30.

[henriknoerr]

also see: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk168601 Symptoms - SNMP poll of OID IF-MIB::ifDescr after upgrade to R80.40 Gaia OS shows only the driver details: [Expert@GW:0]# snmpwalk -v 2c -c public localhost IF-MIB::ifDescr IF-MIB::ifDescr.1 = STRING: lo IF-MIB::ifDescr.2 = STRING: VMware VMXNET3 Ethernet Controller IF-MIB::ifDescr.3 = STRING: VMware VMXNET3 Ethernet Controller IF-MIB::ifDescr.4 = STRING: VMware VMXNET3 Ethernet Controller - SNMP poll of OID IF-MIB::ifDescr in a pre R80.40 Gaia OS shows the interface names: [Expert@GW:0]# snmpwalk -v 2c -c public localhost IF-MIB::ifDescr IF-MIB::ifDescr.1 = STRING: lo IF-MIB::ifDescr.2 = STRING: eth0 IF-MIB::ifDescr.3 = STRING: eth1 IF-MIB::ifDescr.4 = STRING: eth2 IF-MIB::ifDescr.5 = STRING: eth3 IF-MIB::ifDescr.6 = STRING: vpnt1 Cause The output on R80.40 and higher versions has changed and polling ifDesc provides descriptive information of the interface (Such as driver). Solution Use SNMP OID IF-MIB::ifName to get interface names for Gaia OS R80.40 and after ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

…

On Wednesday d. 26. August 2020 kl. 10:24, Mario Rimann ***@***.***> wrote: After upgrading a firewall from R80.30 to R80.40 we noticed that our traffic graphs don't show any data anmyore. To gather the interface's traffic, we run the plugin so it basically collects just all interfaces of the firewalls (unfiltered), Icinga2 pushes those performance data to InfluxDB and only in Grafana we then select certain data-streams (like eth1_traffic_in). As far as we see, the interfaces are now presented different from the Checkpoint Firewalls - and it seems that check_nwc_health relies on the ifDescr and not the ifName. I'm not sure if that's by intention, a bug, or maybe even configurable to use ifName. If I select/filter for "Intel Corporation I211 Gigabit Network Connection 2_traffic_in" I get the proper data out. But of course it would be nice if that would stay as "eth1" as it was before. So far I did not find any way so influence the ifDescr value of those interfaces. The "comment" on the interface seems to have no influence and is properly shown in the output as Alias-Name (e.g. "WAN"). Verbose output of the interfaces: ***@***.***:/usr/lib/nagios/plugins/contrib/libexec# ./check_nwc_health --hostname x.x.x.x --mode list-interfaces-detail -vv 000001 lo ________ unknown unknown 000002 Intel Corporation I211 Gigabit Network Connection 2 WAN unknown unknown 000003 Intel Corporation I211 Gigabit Network Connection 3 REDACTED unknown unknown 000004 Intel Corporation I211 Gigabit Network Connection 4 REDACTED unknown unknown 000005 Intel Corporation I211 Gigabit Network Connection 5 ________ unknown unknown 000006 Intel Corporation I211 Gigabit Network Connection 6 ________ unknown unknown 000007 Intel Corporation I211 Gigabit Network Connection 7 REDACTED unknown unknown 000008 eth3.13 ________ unknown unknown 000009 eth3.12 ________ unknown unknown 000010 eth2.105 REDACTED unknown unknown 000011 eth2.202 REDACTED unknown unknown 000012 eth2.43 REDACTED unknown unknown 000013 eth3.11 ________ unknown unknown 000014 eth2.106 REDACTED unknown unknown [INTERFACESUBSYSTEM] bootTime: 1598378184.43 duplicates: HASH(0x558d7526e598) ifCacheLastChange: 1598429622 ifTableLastChange: 1598378184.43 interface_cache: HASH(0x558d75277df0) info: checking interfaces [INTERFACE_14] ifAlias: REDACTED ifDescr: eth2.106 ifIndex: 14 ifName: eth2.106 [INTERFACE_1] ifAlias: ________ ifDescr: lo ifIndex: 1 ifName: lo [INTERFACE_2] ifAlias: WAN ifDescr: Intel Corporation I211 Gigabit Network Connection 2 ifIndex: 2 ifName: eth1 [INTERFACE_8] ifAlias: ________ ifDescr: eth3.13 ifIndex: 8 ifName: eth3.13 (...) [INTERFACE_11] ifAlias: REDACTED ifDescr: eth2.202 ifIndex: 11 ifName: eth2.202 [INTERFACE_3] ifAlias: REDACTED ifDescr: Intel Corporation I211 Gigabit Network Connection 3 ifIndex: 3 ifName: eth2 [INTERFACE_10] ifAlias: REDACTED ifDescr: eth2.105 ifIndex: 10 ifName: eth2.105 OK - have fun checking interfaces Unfortunately I did not run the same command to compare the output with a R80.30. — You are receiving this because you are subscribed to this thread. Reply to this email directly, [view it on GitHub](#254), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AAXS5VGS4TNHSEWEBHM6XL3SCTBCPANCNFSM4QLROO7Q).

[cmock]

@lausser I'm currently working on a fix for this, based on an old PR (#111). Basically this adds an option "--iflabel" that decides which of (ifName, ifDescr, ifAlias) is used to label an interface.

[Napsty]

Just came across this behaviour as well, after Checkpoint appliances were upgraded from R80.30 to R81.10.
We were able to use the short name (e.g. eth1-02) before, since the upgrade this interface is not found anymore.

$ /usr/lib/nagios/plugins/check_nwc_health --hostname CPFirewall --protocol 3 --username snmpuser --authpassword secret --authprotocol sha --mode list-interfaces-detail
000001 lo ________ unknown unknown
000002 Intel Corporation Ethernet Controller X710 for 10GbE SFP+ 2 ________ unknown unknown
000003 Intel Corporation Ethernet Controller X710 for 10GbE SFP+ 3 ________ unknown unknown
000004 Intel Corporation I350 Gigabit Network Connection 4 ________ unknown unknown
000005 Intel Corporation Ethernet Controller X710 for 10GbE SFP+ 5 ________ unknown unknown
000006 Intel Corporation Ethernet Controller X710 for 10GbE SFP+ 6 ________ unknown unknown
000007 Intel Corporation I350 Gigabit Network Connection 7 ________ unknown unknown
000008 Intel Corporation I350 Gigabit Network Connection 8 ________ unknown unknown
000009 Intel Corporation I350 Gigabit Network Connection 9 ________ unknown unknown
000010 Intel Corporation I350 Gigabit Network Connection 10 ________ unknown unknown
000011 Intel Corporation Ethernet Controller X710 for 10GbE SFP+ 11 ________ unknown unknown
000012 Intel Corporation I350 Gigabit Network Connection 12 ________ unknown unknown
000013 Intel Corporation I350 Gigabit Network Connection 13 ________ unknown unknown
000014 Intel Corporation I350 Gigabit Network Connection 14 ________ unknown unknown
000015 Intel Corporation I350 Gigabit Network Connection 15 ________ unknown unknown
000016 Intel Corporation I350 Gigabit Network Connection 16 ________ unknown unknown
000017 Intel Corporation Ethernet Controller X710 for 10GbE SFP+ 17 ________ unknown unknown
000018 Intel Corporation Ethernet Controller X710 for 10GbE SFP+ 18 ________ unknown unknown
000019 Intel Corporation Ethernet Controller X710 for 10GbE SFP+ 19 ________ unknown unknown
000020 gre0 ________ unknown unknown
000021 gretap0 ________ unknown unknown
000040 bond0 ________ unknown unknown
000041 bond1 ________ unknown unknown
OK - have fun

The reason seems to be, as @henriknoerr mentioned, that the newer Gaia version uses another way to fill the "ifDescr" field.

[64BIT_9]
delta_ifHCInOctets: 315317
delta_ifHCOutOctets: 8539674
delta_ifInBits: 2522536
delta_ifOutBits: 68317392
delta_timestamp: 156
ifAlias: eth1-02
ifDescr: Intel Corporation I350 Gigabit Network Connection 9
ifHCInOctets: 575352239
ifHCInOctets_per_sec: 2021.26282051282
ifHCOutOctets: 18116600052
ifHCOutOctets_per_sec: 54741.5
ifHighSpeed: 1000
ifInOctets: 575352239
ifIndex: 9
ifName: eth1-02
ifOperStatus: up
ifOutOctets: 936730868
ifSpeed: 1000000000
inputRate: 16170.1025641026
inputUtilization: 0.00161701025641026
maxInputRate: 1000000000
maxOutputRate: 1000000000
outputRate: 437932
outputUtilization: 0.0437932
info: interface Intel Corporation I350 Gigabit Network Connection 9 (alias eth1-02) usage is in:0.00% (16170.10bit/s) out:0.04% (437932.00bit/s)

$ /usr/lib/nagios/plugins/check_nwc_health --hostname CPFirewall --protocol 3 --username snmpuser --authpassword secret --authprotocol sha --mode interface-usage --name "eth1-02"
UNKNOWN - no interfaces

[arnotron]

@lausser I'm currently working on a fix for this, based on an old PR (#111). Basically this adds an option "--iflabel" that decides which of (ifName, ifDescr, ifAlias) is used to label an interface.

Hello,
we encountered the same issue - did you make any progress? Is there a patch we could test?

[arnotron]

Hello,
we tried to test your iflabel fork, but could not find any changes. Are we looking in the wrong place or did the change get lost over time?
Kind regards, Arne

[cmock]

looks like I never pushed my changes to github, rather embarrasingly. And now there's some merge conflict and I really don't have the time to mess with git, sorry.

[arnotron]

Hello,
I was annoyed enough by this open issue that I tried to develop a fix for it. Please review my pull request and let me know if I missed anything important or violated any best practices - it has been a while since I regularly touched Perl code ;-)
thanks in advance,
Arne

[Napsty]

@arnotron cool that you developped a fix for it. Always helpful to have someone else also looking at the code :-)
But there's another way (without having to modify the plugin code), by telling the plugin which "field" should be used to determine the interface name. Default in check_nwc_health is ifDescr, but you can change the default by using --iflabel to something else.

In the example shown above (#254 (comment)) the "real" interface name can now be found under ifName (which you've added in your PR as --name2).

So here's a practical run on our CheckPoint VSX Firewall, currently running version R81.10.

$ /usr/lib/nagios/plugins/check_nwc_health --hostname checkpointip --protocol 3 --username user --authpassword secret --authprotocol sha1 --mode interface-usage --name "eth2-01"
UNKNOWN - no interfaces

If I add the --iflabel parameter and set it to use ifName (instead of the default ifDescr), surprise, surprise:

$ /usr/lib/nagios/plugins/check_nwc_health --hostname checkpointip --protocol 3 --username user --authpassword secret --authprotocol sha1 --mode interface-usage --name "eth2-01" --iflabel "ifName"
OK - interface eth2-01 usage is in:0.00% (9361.24bit/s) out:0.00% (1489.88bit/s) | 'eth2-01_usage_in'=0.00%;;;0;100 'eth2-01_usage_out'=0.00%;;;0;100 'eth2-01_traffic_in'=9361.24;;;0;10000000000 'eth2-01_traffic_out'=1489.88;;;0;10000000000

UPDATE: OH CRAP! I just realized I did a manual code merge on the check_nwc_health we used and basically implemented PR #111 to have this --iflabel parameter at hand. Sorry!!!

UPDATE2: Now I had to look it up for sure, what did I do back then. So this was in January 2022 when I manually merged PR #276 into the code. I guess this was the PR from @cmock but the PR has been deleted. So since then the plugin runs with this iflabel parameter (which was never merged in upstream, unfortunately).