Pointix - Integrating Check Point and Zabbix
Previous Post: https://www.spikefishsolutions.com/post/monitoring-check-point-infrastructure-with-zabbix
Everyone at Spikefish Solutions is very excited to announce we are releasing our first Open Source project! We teased the project in a blog post back in February but after a long hiatus and several rewrites, Pointix will finally be available to the public. The purpose of Pointix is to automatically populate Zabbix with your Check Point infrastructure. With this tool you can take an environment of thousands of devices and have them imported into Zabbix in a fraction of the time it would take to complete that process manually. This saves your engineers time, and the company money.
Pointix works by retrieving a list of the Domain Management Servers, Log Management Servers, gateways, and clusters in a Check Point MDS or SMS and adding them to Zabbix. This requires the management API to be enabled on the Management Server and in Zabbix. Pointix is designed to query a single given domain on the MDS at a time to allow you to better manage what you want in Zabbix and how quickly. When this tool adds the Check Point hosts to Zabbix, it will automatically apply the given groups and templates to the host. More information on the functionality of Pointix can be found in the readme of the GitHub project or the Youtube video:
There have been quite a few changes and enhancements since we teased this in our original blog post. We realized that the single picture we showed didn't really make it clear that this was a working project, so the developer Devin Marks has gone ahead and made a video demonstrating Pointix. The GitHub project can be found here: https://github.com/SpikefishSolutions/Pointix/. If you need professional services for Zabbix, Check Point, Pointix, or a major feature improvement for your specific environment, contact us at firstname.lastname@example.org.
How Pointix Works
I gave a little overview previously of how Pointix works, but here we’re going to really dive into the process. Pointix relies on both the Check Point Management API and the Zabbix API. Pointix will query the management API on an MDS or SMS for a list of gateways and clusters. It will then query the management API for more detailed information about each gateway and cluster. This detailed information is what we use to make decisions on host attributes when being added to Zabbix. Pointix will also query the global domain for the management servers and log servers that exist within the given domain as well. You cannot monitor these servers with SNMP but they are added to Zabbix for inventory purposes and simple checks like ping.
Once Pointix obtains all of the information it needs from the Management API, it will then go through each of the devices and add them as hosts in Zabbix. Pointix will automatically create several tags: the first is the tag ‘vendor’ where the value will be ‘Check Point’, the second is ‘domain’ that the hosts are from, and last is name of the cluster for cluster hosts. Two inventory fields will also be filled: Vendor will be Check Point, and Location will be populated with the domain. We have done this as it fits our use case for Zabbix, but you can change what's populated in Zabbix with just a little bit of Python experience. The code responsible for this is part of the Zabbix API call that adds the hosts to Zabbix; you should be able to find these lines in the 'module.py' file.
One of the ways we use Pointix is to automatically add new Check Point devices to Zabbix for better inventory tracking and for monitoring. We setup Pointix to run every night on every domain; any new devices will automatically be added. Existing devices will not be added again, due to Zabbix not allowing two hosts to have the same hostname, therefore rejecting the request to add hosts that already exist. The timestamped log file will allow you to check and see what hosts were added on any given run of Pointix.
There are a few required Python packages before running Pointix. The tool requires the Check Point API SDK, py-zabbix, and pyyaml. The Check Point API SDK is developed by Check Point themselves, py-zabbix is a third party library, but is the python package recommended by Zabbix, and pyyaml is developed by The YAML Project themselves. These can either be downloaded from their GitHub repositories or through the use of pip. The pip commands are as follows:
pip install py-zabbix pyyaml pip install git+https://github.com/CheckPointSW/cp_mgmt_api_python_sdk
Next, there are a few files that you need to edit to ensure they have the correct information and a few that are optional features. The first necessary file is ‘groups-templates’. This is the file where you define the lists of Zabbix groups and templates that will be assigned to the different types of Check Point hosts. For example, the list following ‘clusterGroupName=’ are the groups that will be assigned to the cluster VIP host, and ‘clusterMembersGroupName’ are the groups that will be assigned to each member of the clusters. The other necessary file is ‘application.yml’. This file contains the authentication credentials for both APIs and the SNMP settings. If any section of 'application.yml' is missing, Pointix will prompt for these credentials at runtime.
#groups-templates clusterGroupName:Check Point Cluster clusterTemplateName:Check Point Cluster,Check Point Firewalls,Check Point Generic Device clusterMembersGroupName:Check Point Cluster Members clusterMembersTemplateName:Check Point Cluster Members,Check Point Firewalls,Check Point Generic Device #application.yml checkpoint: username: admin password: examplepass
There are three other files that are used for different optional features of Pointix. The first file is called ‘ignore-ip’ and is a list of IPs for the hosts you don't want added to Zabbix. This can be the IP of a gateway, cluster VIP, management server, or log server. For example, if you don't have any need to have the management CMAs or CLMs in Zabbix, you can add all of their IPs to the ‘ignore-ip' file and they won’t be added to Zabbix. The second optional file is the ‘override’ file. If for some reason you want to point the monitoring IP in Zabbix for a particular host to a different IP address, include them in the 'override’ file. This file is a list of IP pairs in the following format:
192.168.100.1:10.10.10.1 <Actual IP>:<Override IP>
The final optional file is the ‘daip’ file. This file has two uses: the first is the intended use, which is for handling any DAIP gateways that are in your environment. If you have any DAIP gateways and want them added to Zabbix, there must be an entry in this file telling the gateway what FQDN to monitor. If Pointix finds a DAIP gateway and there is not an entry in the ‘daip’ file, the gateway will not be added to Zabbix. The second use for the ‘daip’ file is if you want to monitor any host by its FQDN. Even if a Check Point host is not a DAIP gateway, you can include it in the ‘daip’ file and Pointix will add that to Zabbix as the monitoring address. The following is the format for the ‘daip’ entries:
Pointix is designed to be run from the command line, and requires four command line arguments for an MDS, and three for a Standalone Management Server. These arguments supply Pointix with the MDS IP, the domain on the MDS, the Zabbix URL, and the SNMP version. For a Standalone server, you leave out the '-d' flag since there is no domains on SMSs. Pointix supports adding hosts to Zabbix with either SNMPv2 or SNMPv3 credentials. The credential for whatever you have deployed in the CheckPoint devices in your environment are supplied by you in the 'application.yml' file. The following is an example of executing ‘main.py’:
python3 main.py -c 10.10.10.10 -d example_domain -z http://10.10.10.11/zabbix/ -s 3 python3 main.py -c 10.10.10.10 -z http://10.10.10.11/zabbix/ -s 3 python3 main.py -c <MDSIP> -d <domain> -z <ZABBIXURL> -s <SNMPVERSION(2 or 3)>
After Pointix has been executed, there will be an output to the console with all of the devices that succeeded, that failed, and were ignored. There will also be a logging file created that contains the same information but will also contain logs from all of the functions that were executed. So if a host failed to add to Zabbix, the log file is where you would go to find out why, or if Pointix terminates without completing, the log file will let you know where and why it exited.
If you have any issues with Pointix, please provide the relevant lines from this file when creating a bug report in GitHub. We are currently planning on supplying Pointix to the community as-is, but if there are any major bugs or problems we will take a look at them and fix them when we have time. We would like to thank you for taking the time to read through this blog post and for your interest in Pointix. We are very proud of the capabilities of this project, and hope that it will allow you to better track and monitor your Check Point infrastructure with Zabbix. If you need professional services for Zabbix, Check Point, Pointix, or a major feature improvement for your specific environment, contact us at email@example.com.