Support Center > Search Results > SecureKnowledge Details
Amazon Web Services (AWS) CloudWatch integration Technical Level
Solution

This article describes how to report Security Gateway statistics as metrics to the Amazon Web Services (AWS) CloudWatch service. These metrics could be used to monitor the Security Gateway's health as well as to trigger auto scale events

Prerequisites

It is assumed that the reader is familiar with general AWS concepts and services such as:

  • CloudWatch
  • Elastic Compute Cloud (EC2)
  • Identity and Access Management (IAM)

To be able to automatically make API calls to AWS, the Security Gateway needs to be provided with AWS credentials. This is achieved using a standard AWS mechanism called IAM Roles. For that you would need an AWS user account with IAM privileges.

For further information regarding IAM roles refer to the below articles:

 

Setup

  1. Create the following AWS IAM policy:
     
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "cloudwatch:PutMetricData"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
    
  2. Attach the above policy to an existing IAM role or create a new role with the above policy.

  3. Use this role when launching the Check Point Security Gateway instances.

  4. Start reporting the metrics periodically by running:
    /sbin/cloudwatch start
    
    This will register a cron job that runs every minute and updates the AWS CloudWatch service with the gateway statistics.

    To stop reporting, run:
    /sbin/cloudwatch stop
    
    This will unregister the cron job.

  5. Gateway statistics should now appear in your CloudWatch portal:

Note: Gateway statistics would be sent at a frequency of about once a minute.

 

Appendix - CloudGuard IaaS exported Check Point SNMP Object IDs (MIB IDs)

Check Point provides a set of MIB files that contain definitions of all SNMP counters supported by Check Point software.

below are the list of MIB IDs exported by CloudGuard IaaS Security Gateways to AWS CloudWatch:

Metric Name Unit Check Point MIB ID
Num. Connections Count .1.3.6.1.4.1.2620.1.1.25.3
Active Virtual Memory (Bytes) Bytes  .1.3.6.1.4.1.2620.1.6.7.4.2
Active Real Memory (Bytes) Bytes .1.3.6.1.4.1.2620.1.6.7.4.4
Free Real Memory (Bytes)

Bytes

.1.3.6.1.4.1.2620.1.6.7.4.5
Memory Swaps/Sec Count/Second .1.3.6.1.4.1.2620.1.6.7.4.6
Memory To Disk Transfers/Sec Count/Second .1.3.6.1.4.1.2620.1.6.7.4.7
CPU User Time (%) Percent .1.3.6.1.4.1.2620.1.6.7.2.1
CPU System Time (%) Percent  .1.3.6.1.4.1.2620.1.6.7.2.2
CPU Idle Time (%) Percent .1.3.6.1.4.1.2620.1.6.7.2.3
CPU Usage (%) Percent .1.3.6.1.4.1.2620.1.6.7.2.4
CPU Queue Length Count .1.3.6.1.4.1.2620.1.6.7.2.5
CPU Interrupts/Sec Count/Second .1.3.6.1.4.1.2620.1.6.7.2.6
Disk Free Space (%) Percent .1.3.6.1.4.1.2620.1.6.7.3.3
Disk Total Free Space (Bytes) Bytes .1.3.6.1.4.1.2620.1.6.7.3.4
Disk Available Free Space (Bytes) Bytes .1.3.6.1.4.1.2620.1.6.7.3.5
Disk Total Space (Bytes)
Bytes .1.3.6.1.4.1.2620.1.6.7.3.6
Encrypted packets Count .1.3.6.1.4.1.2620.1.2.4.1.1
Decrypted packets Count .1.3.6.1.4.1.2620.1.2.4.1.2
Encryption errors Count .1.3.6.1.4.1.2620.1.2.4.2.1
Decryption errors Count .1.3.6.1.4.1.2620.1.2.4.2.2
IKE current SAs Count .1.3.6.1.4.1.2620.1.2.9.1.1
IKE no response from peer (initiator errors)  Count .1.3.6.1.4.1.2620.1.2.9.2.2
IPsec current Inbound SAs Count  .1.3.6.1.4.1.2620.1.2.5.2.1
IPsec current Outbound SAs Count .1.3.6.1.4.1.2620.1.2.5.2.3

 

Additional information about Check Point MIB and SNMP:

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment