update project

f14aae2c · thl-cmk · 90561c67 · f14aae2c · f14aae2c · f14aae2c
Commit f14aae2c authored 3 years ago by thl-cmk
--- a/agent_based/checkpoint_remoteaccess.py
+++ b/agent_based/checkpoint_remoteaccess.py
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+# License: GNU General Public License v2
+#
+# Author: thl-cmk[at]outlook[dot]com
+# URL   : https://thl-cmk.hopto.org
+# Date  : 2019-08-19
+#
+# monitor check point remote access vpn connections
+#
+# 2021-08-31: rewritten for CMK 2.0
+#
+# info with policy server down and no remote access connections
+# [[], [['', '0', '0', '0', '0', '2', 'Down', 'Policy Server is down']]]
+#
+# policy server activated/up no RA users
+# [[], [['Policy Server', '6', '0', '4294967294', '0', '0', 'OK', 'Policy Server is up']]]
+#
+#      raUserState OBJECT-TYPE
+#            SYNTAX  INTEGER {
+#                          active(3),
+#                          destroy(4),
+#                          idle(129),
+#                          phase1(130),
+#                          down(131),
+#                          init(132)
+#             		}
+#
+#      raTunnelEncAlgorithm OBJECT-TYPE
+#            SYNTAX  INTEGER {
+#                          espDES(1),
+#                          esp3DES(2),
+#                          espCAST(5),
+#                          esp3IDEA(7),
+#                          espNULL(9),
+#                          espAES128(129),
+#                          espAES256(130)
+#             		}
+#
+#      raTunnelAuthMethod OBJECT-TYPE
+#            SYNTAX  INTEGER {
+#                          preshared-key(1),
+#                          dss-signature(2),
+#                          rsa-signature(3),
+#                          rsa-encryption(4),
+#                          rev-rsa-encryption(5),
+#                          xauth(129),
+#                          crack(130)
+#             		}
+#
+# CHECKPOINT-MIB::raUsersEntry.2.172.16.1.1.0 = STRING: "user1"
+# CHECKPOINT-MIB::raUsersEntry.2.172.16.1.2.0 = STRING: "user2"
+# CHECKPOINT-MIB::raUsersEntry.2.172.16.1.5.0 = STRING: "user3"
+# CHECKPOINT-MIB::raUsersEntry.4.172.16.1.1.0 = Gauge32: 3
+# CHECKPOINT-MIB::raUsersEntry.4.172.16.1.2.0 = Gauge32: 3
+# CHECKPOINT-MIB::raUsersEntry.4.172.16.1.5.0 = Gauge32: 3
+# CHECKPOINT-MIB::raExternalIpAddr.172.16.1.1.0 = IpAddress: 21.11.219.184
+# CHECKPOINT-MIB::raExternalIpAddr.172.16.1.2.0 = IpAddress: 17.19.215.31
+# CHECKPOINT-MIB::raExternalIpAddr.172.16.1.5.0 = IpAddress: 27.19.15.12
+# CHECKPOINT-MIB::raUserState.172.16.1.1.0 = Wrong Type (should be INTEGER): Gauge32: 3
+# CHECKPOINT-MIB::raUserState.172.16.1.2.0 = Wrong Type (should be INTEGER): Gauge32: 3
+# CHECKPOINT-MIB::raUserState.172.16.1.5.0 = Wrong Type (should be INTEGER): Gauge32: 3
+# CHECKPOINT-MIB::raOfficeMode.172.16.1.1.0 = Wrong Type (should be INTEGER): Gauge32: 1
+# CHECKPOINT-MIB::raOfficeMode.172.16.1.2.0 = Wrong Type (should be INTEGER): Gauge32: 1
+# CHECKPOINT-MIB::raOfficeMode.172.16.1.5.0 = Wrong Type (should be INTEGER): Gauge32: 1
+# CHECKPOINT-MIB::raUseUDPEncap.172.16.1.1.0 = Wrong Type (should be INTEGER): Gauge32: 2
+# CHECKPOINT-MIB::raUseUDPEncap.172.16.1.2.0 = Wrong Type (should be INTEGER): Gauge32: 2
+# CHECKPOINT-MIB::raUseUDPEncap.172.16.1.5.0 = Wrong Type (should be INTEGER): Gauge32: 2
+# CHECKPOINT-MIB::raVisitorMode.172.16.1.1.0 = Wrong Type (should be INTEGER): Gauge32: 0
+# CHECKPOINT-MIB::raVisitorMode.172.16.1.2.0 = Wrong Type (should be INTEGER): Gauge32: 0
+# CHECKPOINT-MIB::raVisitorMode.172.16.1.5.0 = Wrong Type (should be INTEGER): Gauge32: 0
+# CHECKPOINT-MIB::raRouteTraffic.172.16.1.1.0 = Wrong Type (should be INTEGER): Gauge32: 1
+# CHECKPOINT-MIB::raRouteTraffic.172.16.1.2.0 = Wrong Type (should be INTEGER): Gauge32: 1
+# CHECKPOINT-MIB::raRouteTraffic.172.16.1.5.0 = Wrong Type (should be INTEGER): Gauge32: 1
+# CHECKPOINT-MIB::raCommunity.172.16.1.1.0 = STRING: RemoteAccess
+# CHECKPOINT-MIB::raCommunity.172.16.1.2.0 = STRING: RemoteAccess
+# CHECKPOINT-MIB::raCommunity.172.16.1.5.0 = STRING: RemoteAccess
+# CHECKPOINT-MIB::raTunnelEncAlgorithm.172.16.1.1.0 = Wrong Type (should be INTEGER): Gauge32: 130
+# CHECKPOINT-MIB::raTunnelEncAlgorithm.172.16.1.2.0 = Wrong Type (should be INTEGER): Gauge32: 130
+# CHECKPOINT-MIB::raTunnelEncAlgorithm.172.16.1.5.0 = Wrong Type (should be INTEGER): Gauge32: 130
+# CHECKPOINT-MIB::raTunnelAuthMethod.172.16.1.1.0 = Wrong Type (should be INTEGER): Gauge32: 129
+# CHECKPOINT-MIB::raTunnelAuthMethod.172.16.1.2.0 = Wrong Type (should be INTEGER): Gauge32: 129
+# CHECKPOINT-MIB::raTunnelAuthMethod.172.16.1.5.0 = Wrong Type (should be INTEGER): Gauge32: 129
+# CHECKPOINT-MIB::raLogonTime.172.16.1.1.0 = Wrong Type (should be INTEGER): Gauge32: 1565942591
+# CHECKPOINT-MIB::raLogonTime.172.16.1.2.0 = Wrong Type (should be INTEGER): Gauge32: 1565935409
+# CHECKPOINT-MIB::raLogonTime.172.16.1.5.0 = Wrong Type (should be INTEGER): Gauge32: 1565947344
+# CHECKPOINT-MIB::raUsersEntry.30.172.16.1.1.0 = Gauge32: 8
+# CHECKPOINT-MIB::raUsersEntry.30.172.16.1.2.0 = Gauge32: 8
+# CHECKPOINT-MIB::raUsersEntry.30.172.16.1.5.0 = Gauge32: 8
+#
+# .1.3.6.1.4.1.2620.500.9000.1.2.172.16.1.1.0 = STRING: "user1"
+# .1.3.6.1.4.1.2620.500.9000.1.2.172.16.1.2.0 = STRING: "user2"
+# .1.3.6.1.4.1.2620.500.9000.1.2.172.16.1.5.0 = STRING: "user3"
+# .1.3.6.1.4.1.2620.500.9000.1.4.172.16.1.1.0 = Gauge32: 3
+# .1.3.6.1.4.1.2620.500.9000.1.4.172.16.1.2.0 = Gauge32: 3
+# .1.3.6.1.4.1.2620.500.9000.1.4.172.16.1.5.0 = Gauge32: 3
+# .1.3.6.1.4.1.2620.500.9000.1.19.172.16.1.1.0 = IpAddress: 21.11.219.184
+# .1.3.6.1.4.1.2620.500.9000.1.19.172.16.1.2.0 = IpAddress: 17.19.215.31
+# .1.3.6.1.4.1.2620.500.9000.1.19.172.16.1.5.0 = IpAddress: 27.19.15.12
+# .1.3.6.1.4.1.2620.500.9000.1.20.172.16.1.1.0 = Gauge32: 3
+# .1.3.6.1.4.1.2620.500.9000.1.20.172.16.1.2.0 = Gauge32: 3
+# .1.3.6.1.4.1.2620.500.9000.1.20.172.16.1.5.0 = Gauge32: 3
+# .1.3.6.1.4.1.2620.500.9000.1.21.172.16.1.1.0 = Gauge32: 1
+# .1.3.6.1.4.1.2620.500.9000.1.21.172.16.1.2.0 = Gauge32: 1
+# .1.3.6.1.4.1.2620.500.9000.1.21.172.16.1.5.0 = Gauge32: 1
+# .1.3.6.1.4.1.2620.500.9000.1.23.172.16.1.1.0 = Gauge32: 2
+# .1.3.6.1.4.1.2620.500.9000.1.23.172.16.1.2.0 = Gauge32: 2
+# .1.3.6.1.4.1.2620.500.9000.1.23.172.16.1.5.0 = Gauge32: 2
+# .1.3.6.1.4.1.2620.500.9000.1.24.172.16.1.1.0 = Gauge32: 0
+# .1.3.6.1.4.1.2620.500.9000.1.24.172.16.1.2.0 = Gauge32: 0
+# .1.3.6.1.4.1.2620.500.9000.1.24.172.16.1.5.0 = Gauge32: 0
+# .1.3.6.1.4.1.2620.500.9000.1.25.172.16.1.1.0 = Gauge32: 1
+# .1.3.6.1.4.1.2620.500.9000.1.25.172.16.1.2.0 = Gauge32: 1
+# .1.3.6.1.4.1.2620.500.9000.1.25.172.16.1.5.0 = Gauge32: 1
+# .1.3.6.1.4.1.2620.500.9000.1.26.172.16.1.1.0 = STRING: "RemoteAccess"
+# .1.3.6.1.4.1.2620.500.9000.1.26.172.16.1.2.0 = STRING: "RemoteAccess"
+# .1.3.6.1.4.1.2620.500.9000.1.26.172.16.1.5.0 = STRING: "RemoteAccess"
+# .1.3.6.1.4.1.2620.500.9000.1.27.172.16.1.1.0 = Gauge32: 130
+# .1.3.6.1.4.1.2620.500.9000.1.27.172.16.1.2.0 = Gauge32: 130
+# .1.3.6.1.4.1.2620.500.9000.1.27.172.16.1.5.0 = Gauge32: 130
+# .1.3.6.1.4.1.2620.500.9000.1.28.172.16.1.1.0 = Gauge32: 129
+# .1.3.6.1.4.1.2620.500.9000.1.28.172.16.1.2.0 = Gauge32: 129
+# .1.3.6.1.4.1.2620.500.9000.1.28.172.16.1.5.0 = Gauge32: 129
+# .1.3.6.1.4.1.2620.500.9000.1.29.172.16.1.1.0 = Gauge32: 1565942591
+# .1.3.6.1.4.1.2620.500.9000.1.29.172.16.1.2.0 = Gauge32: 1565935409
+# .1.3.6.1.4.1.2620.500.9000.1.29.172.16.1.5.0 = Gauge32: 1565947344
+# .1.3.6.1.4.1.2620.500.9000.1.30.172.16.1.1.0 = Gauge32: 8
+# .1.3.6.1.4.1.2620.500.9000.1.30.172.16.1.2.0 = Gauge32: 8
+# .1.3.6.1.4.1.2620.500.9000.1.30.172.16.1.5.0 = Gauge32: 8
+#
+# string_table = [
+#     ['user1', '3', '21.11.219.184', '3', '1', '', '2', '0', '1', 'RemoteAccess', '130', '129', '1565942591'],
+#     ['user2', '3', '17.19.215.31', '3', '1', '', '2', '0', '1', 'RemoteAccess', '130', '129', '1565935409'],
+#     ['user3', '3', '27.19.15.12', '3', '1', '', '2', '0', '1', 'RemoteAccess', '130', '129', '1565947344']
+# ]
+#
+
+import time
+from dataclasses import dataclass
+from typing import List, Optional, NamedTuple
+
+from cmk.base.plugins.agent_based.agent_based_api.v1 import (
+    register,
+    Service,
+    Result,
+    check_levels,
+    Metric,
+    State,
+    SNMPTree,
+    all_of,
+    startswith,
+    any_of,
+    equals,
+)
+from cmk.base.plugins.agent_based.agent_based_api.v1.type_defs import (
+    DiscoveryResult,
+    CheckResult,
+    StringTable,
+)
+
+
+class BadUser(NamedTuple):
+    user: str
+    remote_ip: str
+    enc_algorithm: str
+    logon_timne: str
+
+
+@dataclass
+class CheckpointRemoteaccess:
+    raUsers: int
+    raUsersActive: int
+    raUsersDestroy: int
+    raUsersIdle: int
+    raUsersPhase1: int
+    raUsersDown: int
+    raUsersInit: int
+    raUsersOfficeMode: int
+    raUsersIkeOverTcp: int
+    raUsersUDPEncap: int
+    raUsersVisitorMode: int
+    raUsersRouteTraffic: int
+    raBadEncryption: int
+    badUsers: Optional[List[BadUser]] = None
+
+
+_raTunnelEncAlgorithm = {
+    '1': 'DES',
+    '2': '3DES',
+    '5': 'CAST',
+    '7': '3IDEA',
+    '9': 'NULL',
+    '129': 'AES128',
+    '130': 'AES256',
+}
+
+
+def parse_checkpoint_remoteaccess(string_table: StringTable) -> Optional[CheckpointRemoteaccess]:
+    remote_access = CheckpointRemoteaccess(
+        raUsers=len(string_table),
+        raUsersActive=0,
+        raUsersDestroy=0,
+        raUsersIdle=0,
+        raUsersPhase1=0,
+        raUsersDown=0,
+        raUsersInit=0,
+        raUsersOfficeMode=0,
+        raUsersIkeOverTcp=0,
+        raUsersUDPEncap=0,
+        raUsersVisitorMode=0,
+        raUsersRouteTraffic=0,
+        raBadEncryption=0,
+        badUsers=[],
+    )
+
+    for entry in string_table:
+        try:
+            raUserName, raExternalIpAddr, raUserState, raOfficeMode, raIkeOverTCP, raUseUDPEncap, \
+            raVisitorMode, raRouteTraffic, raTunnelEncAlgorithm, raTunnelAuthMethod, raLogonTime = entry
+        except ValueError:
+            return
+        raUserState = int(raUserState)
+
+        if raUserState == 3:
+            remote_access.raUsersActive += 1
+        elif raUserState == 4:
+            remote_access.raUsersDestroy += 1
+        elif raUserState == 129:
+            remote_access.raUsersIdle += 1
+        elif raUserState == 130:
+            remote_access.raUsersPhase1 += 1
+        elif raUserState == 131:
+            remote_access.raUsersDown += 1
+        elif raUserState == 132:
+            remote_access.raUsersInit += 1
+
+        if raOfficeMode == '1':
+            remote_access.raUsersOfficeMode += 1
+
+        if raIkeOverTCP == '1':
+            remote_access.raUsersIkeOverTcp += 1
+
+        if raUseUDPEncap == '2':
+            remote_access.raUsersUDPEncap += 1
+
+        if raVisitorMode == '1':
+            remote_access.raUsersVisitorMode += 1
+
+        if raRouteTraffic == '1':
+            remote_access.raUsersRouteTraffic += 1
+
+        if int(raTunnelEncAlgorithm) in [1, 2, 5, 7, 9]:
+            remote_access.raBadEncryption += 1
+            remote_access.badUsers.append(BadUser(
+                user=raUserName,
+                remote_ip=raExternalIpAddr,
+                enc_algorithm=_raTunnelEncAlgorithm.get(raTunnelEncAlgorithm),
+                logon_timne=time.ctime(int(raLogonTime)),
+            ))
+
+    return remote_access
+    
+
+def discovery_checkpoint_remoteaccess(section: CheckpointRemoteaccess) -> DiscoveryResult:
+    yield Service()
+
+
+def check_checkpoint_remoteaccess(params, section: CheckpointRemoteaccess) -> CheckResult:
+    yield from check_levels(
+        value=section.raUsers,
+        label='Users',
+        levels_upper=params.get('levels_upper_ra_users'),
+        render_func=lambda v: f'{v:.0f}',
+        boundaries=(0, None),
+        metric_name='checkpoint_remoteaccess_raUsers',
+    )
+
+    if section.raBadEncryption > 0:
+        yield Result(state=State.WARN, notice=f'{section.raBadEncryption} user(s) with bad encryption')
+        for bad_user in section.badUsers:
+            yield Result(
+                state=State.OK,
+                notice=f'User: {bad_user.user}, '
+                       f'Remote IP: {bad_user.remote_ip}, '
+                       f'encryption: {bad_user.enc_algorithm}, '
+                       f'logon time: {bad_user.logon_timne}'
+            )
+
+    for key, value in [
+                ('raUsersActive', section.raUsersActive),
+                ('raUsersDestroy', section.raUsersDestroy),
+                ('raUsersIdle', section.raUsersIdle),
+                ('raUsersPhase1', section.raUsersPhase1),
+                ('raUsersDown', section.raUsersDown),
+                ('raUsersInit', section.raUsersInit),
+                ('raBadEncryption', section.raBadEncryption),
+                ('raUsersOfficeMode', section.raUsersOfficeMode),
+                ('raUsersIkeOverTcp', section.raUsersIkeOverTcp),
+                ('raUsersUDPEncap', section.raUsersUDPEncap),
+                ('raUsersVisitorMode', section.raUsersVisitorMode),
+               ]:
+        yield Metric(
+            value=value,
+            name=f'checkpoint_remoteaccess_{key}',
+            boundaries=(0, None),
+        )
+
+
+register.snmp_section(
+    name='checkpoint_remoteaccess',
+    parse_function=parse_checkpoint_remoteaccess,
+    fetch=SNMPTree(
+        base='.1.3.6.1.4.1.2620.500.9000.1',  #
+        oids=[
+            '2',  # UserName
+            '19',  # raExternalIpAddr
+            '20',  # raUserState
+            '21',  # raOfficeMode
+            '22',  # raIkeOverTCP
+            '23',  # raUseUDPEncap
+            '24',  # raVisitorMode
+            '25',  # raRouteTraffic
+            '27',  # raTunnelEncAlgorithm
+            '28',  # raTunnelAuthMethod
+            '29',  # raLogonTime
+        ]
+    ),
+    detect=all_of(
+        any_of(
+            startswith('.1.3.6.1.2.1.1.2.0', '.1.3.6.1.4.1.2620'),
+            all_of(
+                equals('.1.3.6.1.2.1.1.2.0', '.1.3.6.1.4.1.8072.3.2.10'),
+                equals('.1.3.6.1.4.1.2620.1.6.1.0', 'SVN Foundation'),
+            )
+        ),
+        equals('.1.3.6.1.4.1.2620.1.1.21.0', 'Firewall'),
+    )
+)
+
+register.check_plugin(
+    name='checkpoint_remoteaccess',
+    service_name='Remote Access',
+    discovery_function=discovery_checkpoint_remoteaccess,
+    check_function=check_checkpoint_remoteaccess,
+    check_ruleset_name='checkpoint_remoteaccess',
+    check_default_parameters={},
+)
--- a/checkpoint_remoteaccess.mkp
+++ b/checkpoint_remoteaccess.mkp
--- a/packages/checkpoint_remoteaccess
+++ b/packages/checkpoint_remoteaccess
-{'author': u'Th.L. (thl-cmk[at]outlook[dot]com)',
- 'description': u'Monitor Check Point Firewall remote access vpn connections.\n',
+{'author': 'Th.L. (thl-cmk[at]outlook[dot]com)',
+ 'description': 'Monitor Check Point Firewall remote access vpn connections.\n',
 'download_url': 'https://thl-cmk.hopto.org',
- 'files': {'checks': ['checkpoint_remoteaccess'],
+ 'files': {'agent_based': ['checkpoint_remoteaccess.py'],
           'web': ['plugins/metrics/checkpoint_remoteaccess.py',
                   'plugins/wato/checkpoint_remoteaccess.py']},
 'name': 'checkpoint_remoteaccess',
 'num_files': 3,
- 'title': u'Check Point remote access',
- 'version': '20200608.v.0.0.1a',
- 'version.min_required': '1.2.8b8',
- 'version.packaged': '1.6.0p12',
+ 'title': 'Check Point remote access',
+ 'version': '20210831.v.0.0.2',
+ 'version.min_required': '2.0.0',
+ 'version.packaged': '2021.07.14',
 'version.usable_until': None}
\ No newline at end of file
--- a/web/plugins/metrics/checkpoint_remoteaccess.py
+++ b/web/plugins/metrics/checkpoint_remoteaccess.py
-#!/usr/bin/python
-# -*- encoding: utf-8; py-indent-offset: 4 -*-
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
 #
 # License: GNU General Public License v2
 #
@@ -10,136 +10,134 @@
 # Check Point Policy Server connections metrics plugins
 # checkpoint_remoteaccess
 #
+from cmk.gui.i18n import _

-##############################################################################
-#
-# define units for perfdata
-#
-##############################################################################
-
-##############################################################################
-#
-# define metrics for perfdata
-#
-##############################################################################
-
-metric_info['checkpoint_remoteaccess_dtpsConnectedUsers'] = {
-    'title': _('DTPS Connected users'),
-    'unit': 'count',
-    'color': '11/a',
-}
+from cmk.gui.plugins.metrics import (
+    metric_info,
+    graph_info,
+    perfometer_info
+)

 metric_info['checkpoint_remoteaccess_raUsers'] = {
    'title': _('RA Connected users'),
    'unit': 'count',
-    'color': '12/a',
+    'color': '26/a',
 }

 metric_info['checkpoint_remoteaccess_raUsersActive'] = {
    'title': _('RA users active'),
    'unit': 'count',
-    'color': '13/a',
+    'color': '12/a',
 }
 metric_info['checkpoint_remoteaccess_raUsersDestroy'] = {
    'title': _('RA users destroy'),
    'unit': 'count',
-    'color': '14/a',
+    'color': '22/a',
 }
 metric_info['checkpoint_remoteaccess_raUsersIdle'] = {
    'title': _('RA users idle'),
    'unit': 'count',
-    'color': '15/a',
+    'color': '32/a',
 }
 metric_info['checkpoint_remoteaccess_raUsersPhase1'] = {
    'title': _('RA users phase1'),
    'unit': 'count',
-    'color': '16/a',
+    'color': '42/a',
 }
 metric_info['checkpoint_remoteaccess_raUsersDown'] = {
    'title': _('RA users down'),
    'unit': 'count',
-    'color': '21/a',
+    'color': '13/a',
 }
 metric_info['checkpoint_remoteaccess_raUsersInit'] = {
    'title': _('RA users init'),
    'unit': 'count',
-    'color': '22/a',
+    'color': '23/a',
 }

 metric_info['checkpoint_remoteaccess_raBadEncryption'] = {
    'title': _('RA users with bad encryption'),
    'unit': 'count',
-    'color': '22/a',
+    'color': '36/a',
 }
-##############################################################################
-#
-# map perfdata to metric
-#
-##############################################################################

-check_metrics['check_mk-checkpoint_remoteaccess'] = {
-    'dtpsConnectedUsers': {'name': 'checkpoint_remoteaccess_dtpsConnectedUsers', },
-    'raUsers': {'name': 'checkpoint_remoteaccess_raUsers', },
-    'raUsersActive': {'name': 'checkpoint_remoteaccess_raUsersActive', },
-    'raUsersDestroy': {'name': 'checkpoint_remoteaccess_raUsersDestroy', },
-    'raUsersIdle': {'name': 'checkpoint_remoteaccess_raUsersIdle', },
-    'raUsersPhase1': {'name': 'checkpoint_remoteaccess_raUsersPhase1', },
-    'raUsersDown': {'name': 'checkpoint_remoteaccess_raUsersDown', },
-    'raUsersInit': {'name': 'checkpoint_remoteaccess_raUsersInit', },
-    'raBadEncryption': {'name': 'checkpoint_remoteaccess_raBadEncryption', },
+metric_info['checkpoint_remoteaccess_raUsersOfficeMode'] = {
+    'title': _('Office mode'),
+    'unit': 'count',
+    'color': '11/a',
+}
+metric_info['checkpoint_remoteaccess_raUsersIkeOverTcp'] = {
+    'title': _('IKE over TCP'),
+    'unit': 'count',
+    'color': '21/a',
+}
+metric_info['checkpoint_remoteaccess_raUsersUDPEncap'] = {
+    'title': _('UDP encapsulation'),
+    'unit': 'count',
+    'color': '31/a',
 }

-##############################################################################
-#
-# how to graph perdata
-#
-##############################################################################
+metric_info['checkpoint_remoteaccess_raUsersVisitorMode'] = {
+    'title': _('Visitor mode'),
+    'unit': 'count',
+    'color': '41/a',
+}

-graph_info.append({
+graph_info['checkpoint_remoteaccess_users'] = {
    'title': _('Check Point Remote Access Users'),
    'metrics': [
-        ('checkpoint_remoteaccess_dtpsConnectedUsers', 'line'),
-        ('checkpoint_remoteaccess_raUsers', '-line'),
-        ('checkpoint_remoteaccess_raUsersActive', '-stack', ),
-        ('checkpoint_remoteaccess_raUsersDestroy', '-stack', ),
-        ('checkpoint_remoteaccess_raUsersIdle', '-stack', ),
-        ('checkpoint_remoteaccess_raUsersPhase1', '-stack', ),
-        ('checkpoint_remoteaccess_raUsersDown', '-stack', ),
-        ('checkpoint_remoteaccess_raUsersInit', '-stack', ),
+        ('checkpoint_remoteaccess_raUsers', 'line'),
+        ('checkpoint_remoteaccess_raUsersActive', 'stack',),
+        ('checkpoint_remoteaccess_raUsersDestroy', 'stack',),
+        ('checkpoint_remoteaccess_raUsersIdle', 'stack',),
+        ('checkpoint_remoteaccess_raUsersPhase1', 'stack',),
+        ('checkpoint_remoteaccess_raUsersDown', 'stack',),
+        ('checkpoint_remoteaccess_raUsersInit', 'stack',),
    ],
    'scalars': [
        ('checkpoint_remoteaccess_dtpsConnectedUsers:crit', _('crit')),
        ('checkpoint_remoteaccess_dtpsConnectedUsers:warn', _('warn')),
    ],
-})
+    'optional_metrics': [
+        'checkpoint_remoteaccess_raUsers',
+        'checkpoint_remoteaccess_raUsersActive',
+        'checkpoint_remoteaccess_raUsersDestroy',
+        'checkpoint_remoteaccess_raUsersIdle',
+        'checkpoint_remoteaccess_raUsersPhase1',
+        'checkpoint_remoteaccess_raUsersDown',
+        'checkpoint_remoteaccess_raUsersInit',
+    ]
+}
+
+graph_info['checkpoint_remoteaccess_connection'] = {
+    'title': _('Check Point Remote Access Users Connection'),
+    'metrics': [
+        ('checkpoint_remoteaccess_raUsersOfficeMode', 'line'),
+        ('checkpoint_remoteaccess_raUsersIkeOverTcp', 'line',),
+        ('checkpoint_remoteaccess_raUsersUDPEncap', 'line',),
+        ('checkpoint_remoteaccess_raUsersVisitorMode', 'line',),
+    ],

+    'optional_metrics': [
+        'checkpoint_remoteaccess_raUsersOfficeMode',
+        'checkpoint_remoteaccess_raUsersIkeOverTcp',
+        'checkpoint_remoteaccess_raUsersUDPEncap',
+        'checkpoint_remoteaccess_raUsersVisitorMode',
+    ]
+}

-graph_info.append({
+graph_info['checkpoint_remoteaccess_raBadEncryption'] = {
    'title': _('Check Point Remote Access bad encryption'),
    'metrics': [
        ('checkpoint_remoteaccess_raBadEncryption', 'line'),
    ],
-})
-
-
-##############################################################################
-#
-# define perf-o-meter
-#
-##############################################################################
-
+}

-# perfometer_info.append(('stacked', [
-#     {
-#         'type': 'logarithmic',
-#         'metric': 'checkpoint_connections_connections',
-#         'half_value': 100000.0,
-#         'exponent': 2,
-#     },
-#     {
-#         'type': 'logarithmic',
-#         'metric': 'checkpoint_connections_fwconnections',
-#         'half_value': 1000.0,
-#         'exponent': 2,
-#     },
-# ]))
+perfometer_info.append(
+    {
+        'type': 'logarithmic',
+        'metric': 'checkpoint_remoteaccess_raUsers',
+        'half_value': 500.0,
+        'exponent': 2,
+    },
+)
--- a/web/plugins/wato/checkpoint_remoteaccess.py
+++ b/web/plugins/wato/checkpoint_remoteaccess.py
-register_check_parameters(
-    subgroup_networking,
-    'checkpoint_remoteaccess',
-    _('Check Point remote access'),
-    Dictionary(
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+# License: GNU General Public License v2
+#
+# Author: thl-cmk[at]outlook[dot]com
+# URL   : https://thl-cmk.hopto.org
+# Date  : 2019-08-19
+#
+from cmk.gui.i18n import _
+from cmk.gui.valuespec import (
+    Dictionary,
+    Integer,
+    Tuple,
+)
+
+from cmk.gui.plugins.wato import (
+    CheckParameterRulespecWithItem,
+    rulespec_registry,
+    RulespecGroupCheckParametersNetworking,
+)
+
+
+def _parameter_valuespec_checkpoint_remoteaccess():
+    return Dictionary(
        help=_(''),
        elements=[
-            ('raUsers',
+            ('levels_upper_ra_users',
             Tuple(
-                 title=_("war/crit levels for number of RA users"),
-                 help=_("warn/crit"),
+                 title=_('Upper levels for remote access users'),
                 elements=[
-                     Integer(title=_("Warning at"), unit=_("sessions"), default_value=40),
-                     Integer(title=_("Critical at"), unit=_("sessions"), default_value=100),
+                     Integer(title=_('Warning at'), unit=_('users'), ),
+                     Integer(title=_('Critical at'), unit=_('users'), ),
                 ],
-             ),
-             ),
-            ('raMaxUsers',
-                Integer(title=_('max. RA users for perfdata'), unit=_("sessions"), default_value=250)
-             )
+             )),
        ],
-    ),
-    None,
-    match_type='dict',
-)
+    )
+
+
+rulespec_registry.register(
+    CheckParameterRulespecWithItem(
+        check_group_name='checkpoint_remoteaccess',
+        group=RulespecGroupCheckParametersNetworking,
+        match_type='dict',
+        parameter_valuespec=_parameter_valuespec_checkpoint_remoteaccess,
+        title=lambda: _('Check Point remote access'),
+    ))