SNMP on SPLAT - any HOWTO?

[varera]

Hi all!

Do you know any existing SNMP How To documents?

CP documentation is weird (as usual), and I have to do some basic configurations (like enabling RO community) in a short time.

Thanks for your answers.

[cciesec2006]

Quote:

Originally Posted by varera

Hi all!

Do you know any existing SNMP How To documents?

CP documentation is weird (as usual), and I have to do some basic configurations (like enabling RO community) in a short time.

Thanks for your answers.

step 1: service snmpd restart
step 2: edit /etc/snmp/snmpd.users.conf and replace public with your actual
snmp community string
step 3: service snmpd restart
step 4: netstat -an | grep 161

for checkpoint snmpd port 260:

step 1: modify the $FWDIR/conf/snmp.C file and place the actual snmp
community inside the read and write (). If you leave the write empty,
it will use "private" as the community string. This is a security risk.

step 2: run sysconfig and start the checkpoint snmpd extension

step 3: perform cpstop;cpstart

step 4: netstat -an | grep 260

now you should have both snmp and checkpoint snmpd daemon running on the box.

Easy right?

[melipla]

Quote:

Originally Posted by cciesec2006

Easy right?

Is there any benefit to having both snmpd's running?

[cciesec2006]

Quote:

Originally Posted by melipla

Is there any benefit to having both snmpd's running?

with checkpoint snmpd running, you can collect the number of active
connections in checkpoint tables like "fw tab -s -t connections" and other
things. I don't think you can get this value with regular snmp

[dsb.nepo]

Quote:

step 1: modify the $FWDIR/conf/snmp.C file and place the actual snmp
community inside the read and write ().

This can also be set at the object in SmartDashboard.

[cciesec2006]

Quote:

Originally Posted by dsb.nepo

This can also be set at the object in SmartDashboard.

Are you sure about this? I saw that option but it uses port 161 instead
of port 260. I verified it with tcpdump

[dsb.nepo]

Quote:

Are you sure about this? I saw that option but it uses port 161 instead
of port 260. I verified it with tcpdump

Sorry for the false information my fault.
You are right, to access the CP mib the file $FWDIR/conf/snmp.C shoud be configured.
Information from the dialog are from the system mib.

Quote:

Is there any benefit to having both snmpd's running?

Yes, so you can monitor both
- HD space/CPU/memory/traffice ... (system values)
- accepted/dropped/rejected packets, cp states ... (CP values)

[boldin]

So, I've gathered the steps necessary to get SNMP monitoring working properly with our monitor system and it tested successfully with our test box.

However, I'm looking for some scripting help (I know this may not be the right thread or area, but it's as good as any I guess), since I'm a total newb to scripting...

Is there a way to setup a script that will perform the following:
1. SSH to device1
2. change to expert
3. Edit /etc/snmp/snmpd.conf to include my read-only community strings and IP's at the appropriate area of the file (always by adding lines after the line that says "master agentx").
4. enable snmp service on 161
6. perform a cpstop
7. perform a cpstart
8. send an smtp relay to an email address stating that it was successful.
9. Loop previous steps to remaining device2, device3..., approximately 60 devices, then smtp relay again upon completion of all devices.
<end>

Thanks in advance...

[lammbo]

Does anyone have any recommendations on what to dump these to?

I have a Cacti server for snmp I use on with my perimeter routers and HP System Insight Manager for my windows servers.

My guess would be Cacti, do they have mibs for this so the collected data would be useful? (sorry, snmp is a weak area for me so I only know just enough to be dangerous ;D)

[boldin]

There are two types of Check Point SNMP. One is the standard SNMP collected over port 161. This shouldn't require any special configuration or setup on the SNMP management system.

The other type is Check Point SNMP on port 260. This would require the MIB's to be imported into the management system.

The steps on SPLAT that I took to configure the SPLAT devices are as follows:

1. Log into system via ssh.

2. Change to Expert Mode.

3. Edit the /etc/snmp/snmpd.conf file:

a. Scroll to just past the “Master Agentx” line, and start a blank line, typing “a” (if using vi) to go to “append” mode.

b. Add the following lines in format (“rocommunity” = read only community; <community string>; <IP Address of Monitoring System>) and note that it's my understanding that Check Point does not allow the management system to write/change configs via SNMP:

rocommunity string x.x.x.x

c. Save and exit the file.

4. Run the chkconfig commands as described below, to make the daemon persistent across reboot (still unsure about this part of my list, but I did it anyway and I haven't experienced any problems yet):

chkconfig --add snmpd

chkconfig --level 345 snmpd on

5. Enable the snmp service by using this command, it will notify you upon success by giving you another prompt:

snmp service enable 161

6. 'snmp service stat' will verify that the service is running and on which port (successful response should be “SNMP service enabled and listening on port 161.”). Alternatively, you can run a netstat –an | grep 161 to verify (successful response should be “udp 0 0 0.0.0.0:161 0.0.0.0:*”).

Hope this helps...

[dsb.nepo]

@boldin
I don't think you can script the expert part, but it can be done if you have direct expert access via ssh.
You can write then a script(1) which transfer another script(2) that does the config at the gateway and call this from the machine which runs script(1).
I have no working solution for you available but I use this methode to configure/update most of my *NIX machines.

@lammbo
if you are running splat you can use the 'Generic SNMP host' to graph
- CPU
- load
- process
- memory
- mounted partitions
- interfaces

There is also a cacti template which covers
- Checkpoint - Connections
- Checkpoint - Packets accepted
- Checkpoint - Packets dropped
- Checkpoint - Packets logged
- Checkpoint - Packets rejected

If you like send me a PM and I will send you my working cacti template.

[boldin]

Well, we've gotten SNMP running on our devices, which I might add was rather quick and painless.

However, we are now having trouble with importing the Check Point MIB's into our management systems.

Any advice on Spectrum and/or eHealth Check Point Mib's?

The other big problem is scheduling a cpstop and cpstart for over 50 devices around the world - I wish Check Point would have made this as easy as the standard SNMP stuff...

[boldin]

Another update....

Well, after I thought I had everything working fine, I've come to find out that one of two things is not happening correctly. Either the snmpd.conf file is incorrect (see below) and therefore not passing Check Point SNMP to the service running on port 260, or the Check Point SNMP service on 260 is configured incorrectly.

It would appear that standard snmp is working fine.

Here's what I have for /etc/snmp/snmpd.conf:
---------
master agentx
rocommunity <comm_string> 1.2.3.4
rocommunity <comm_string> 2.3.4.1
rocommunity <comm_string> 3.4.1.2
rocommunity <comm_string> 4.1.2.3
pass 1.3.6.1.4.1.2620 127.0.0.1:260

<monitored stuff>
----------

Here's what I have for /$FWDIR/conf/snmp.C:
----------
(
: (
: (system.sysName.0
:value (dns_name)
)
: (system.sysDescr.0
:value ("Linux i386 vEL.3.0 Check Point FireWall-1 SecurePlatform")
)
: (system.sysContact.0
:value ("Firewall Team")
)
: (system.sysLocation.0
:value ("City - Function")
)
: (system.sysObjectID.0
:value (".1.3.6.1.4.1.2620.1.1")
)
)
:snmp_community (
:read (ro_comm_string)
:write (rw_comm_string)
)
)
----------

Here's output from snmpwalks:
[Expert@dns_name]# snmpwalk -v 2c -c ro_comm_string 127.0.0.1 1.3.6.1.4.1.2620.1.1
SNMPv2-SMI::enterprises.2620.1.1 = No Such Object available on this agent at this OID

[Expert@dns_name]# snmpwalk -v 2c -c ro_comm_string 127.0.0.1:260 1.3.6.1.4.1.2620.1.1
Timeout: No Response from 127.0.0.1:260

Steps taken:
1. Log into system in Admin Mode via ssh.
2. Change to Expert Mode.
3. Edit (vi) the /etc/snmp/snmpd.conf file:
a. Scroll to just past the “Master Agentx” line, and start a blank line, typing “a” to go to “append” mode.
b. Add the following lines in format (“rocommunity” = read only community; <community string>; <IP Address of Monitoring System>):
rocommunity ro_comm_string 1.2.3.4
rocommunity ro_comm_string 2.3.4.1
rocommunity ro_comm_string 3.4.1.2
rocommunity ro_comm_string 4.1.2.3
c. Edit the “syslocation” and “syscontact” lines to the describe the firewall.
d. Save and exit the file.
4. Run the chkconfig command as described below, to make the daemon persistent across reboot:
chkconfig --add snmpd
chkconfig --level 345 snmpd on
5. Enable the snmp service by using this command, it will notify you upon success by giving you another prompt:
snmp service enable 161
6. Remove the default snmp community string(s):
snmp user show – should return community strings used (public/private, etc.).
snmp user del public – deletes the default community string for security purposes.
snmp user del private – this user typically does not exist as a default entry since Checkpoint does not allow write community strings with standard snmp.
7. 'snmp service stat' will verify that the service is running and on which service (successful response should be “SNMP service enabled and listening on port 161.”). Alternatively, you can run a netstat –an | grep 161 to verify (successful response should be “udp 0 0 0.0.0.0:161 0.0.0.0:*”).
8. Modify the $FWDIR/conf/snmp.C file by placing the actual snmp communities inside the read( ) and write( ). Note – if you leave one empty, it will default to ‘public’ for read( ) and ‘private’ for write( ), which is a security risk.
vi $FWDIR/conf/snmp.C
It should look similar to this when completed:
(
: (
: (system.sysName.0
:value (dns_name)
)
: (system.sysDescr.0
:value ("Linux i386 vEL.3.0 Check Point FireWall-1")
)
: (system.sysContact.0
:value ("Contact Department - Telephone Number")
)
: (system.sysLocation.0
:value ("City - Function")
)
: (system.sysObjectID.0
:value (".1.3.6.1.4.1.2620.1.1")
)
)
:snmp_community (
:read (ro_comm_string)
:write (rw_comm_string)
)
)
Once verified that snmp is running on 161 (very important, if you proceed without snmp being enabled on 161, then Checkpoint snmp will enable itself on 161 rather than 260 according to the documentation I've found), go to cpconfig and then enable checkpoint snmp:
cpconfig
2 – SNMP Extension
Configuring SNMP Extension...
=============================
The SNMP daemon enables Check Point products module to export its status to external network management tools.
Would you like to activate Check Point products SNMP daemon ? (y/n) [n] ?
y – to enable.
8 – Exit
Thank You...

You have changed Check Point products Configuration.
You need to restart ALL Check Point modules (performing cpstop & cpstart) in order to activate the changes you have made.
Would you like to do it now? (y/n) [y] ?
n – NO, do not perform a cpstop & cpstart until you verify with the customer that we have an agreed-upon maintenance window for the 2-5 minutes of downtime required. You will also need to enter the following information prior to performing the cpstop & cpstart.
9. Go into SmartDashboard and edit the CheckPoint Object to change the parameters in the "Advanced" window to add the ro_comm_string and rw_comm_string, etc.
10. Verify rules exist and add rules if necessary to allow icmp-ping, snmp-161 and fw1-snmp-260 to/from the SNMP management stations and all SNMP-monitored devices.
11. Push Policy to the enforcement point. If it is a SCS then go to Policy > Install Database > select the database you modified.
12. ssh into the firewall or management station, then perform a cpstop & cpstart. Once complete, perform a netstat –an | grep 260 – a successful response should look like this:
udp 0 0 0.0.0.0:260 0.0.0.0:*
13. Request firewall be discovered in SNMP management station by emailing person x and person y.

---------

I've also done another cpstop/cpstart after all of this, just to verify.

I know it's verbose, but I'm extremely frustrated that I haven't been able to figure this one out and the documentation from Check Point is lacking (big surprise). I've found about 4 versions of Check Point MIBs to import and all of them are failing miserably, including the most recent one I've found, dated last year. The ones I pulled from the device itself failed import on line 1, at least the others went a bit (not much) further before crapping out...

[ozsarman]

I hope this will be usefull for you.

Sample Usage:

snmpget -O s -c SNMPCOMMUNITY -v 1 IPADDRESS 1.3.6.1.4.1.2620.1.6.7.2.4.0

Result:

enterprises.2620.1.6.7.2.4.0 = INTEGER: 53

CPU Usage:

IDLE: .1.3.6.1.4.1.2620.1.6.7.2.3.0
SYSTEM: .1.3.6.1.4.1.2620.1.6.7.2.2.0
USAGE: .1.3.6.1.4.1.2620.1.6.7.2.4.0
USER: .1.3.6.1.4.1.2620.1.6.7.2.1.0


Ram Usage:


memActiveReal 1.3.6.1.4.1.2620.1.6.7.1.4.0

memFreeReal 1.3.6.1.4.1.2620.1.6.7.1.5.0

memTotalReal 1.3.6.1.4.1.2620.1.6.7.1.3.0


Packets:

fwAccepted 1.3.6.1.4.1.2620.1.1.4.0

fwRejected 1.3.6.1.4.1.2620.1.1.5.0

fwDropped 1.3.6.1.4.1.2620.1.1.6.0

fwLogged 1.3.6.1.4.1.2620.1.1.7.0



For All MIB:

CHECKPOINT-MIB SNMP MIB


Cacti:

Nokia IP Firewall Checkpoint Template


Best Regards,

Özdemir Şarman ( Ozdemir Sarman )

[jmccourt]

All,
Just to clear things up a bit, I've see a lot of people using:
pass 1.3.6.1.4.1.2620 127.0.0.1:260
or
proxy -v1 -c <community> 127.0.0.1:260 .1.3.6.1.4.1.2620

I remember using these in the past to combine Checkpoint SNMP and system SNMP to a single port (Great for those tools that don't allow you to use non standard ports for snmp queries).

It doesn't seem that either of these are needed now, is this because of the master agentx line?

without either of those lines, and just the master agentx entry in the snmpd.conf file I can do things like this.

snmpwalk -v2c -c <community> <ipaddress> 1.3.6.1.4.1.2620

>>
SNMPv2-SMI::enterprises.2620.1.1.1.0 = STRING: "Installed"
SNMPv2-SMI::enterprises.2620.1.1.2.0 = STRING: "*********"
SNMPv2-SMI::enterprises.2620.1.1.3.0 = STRING: "Thu Apr 16 17:44:21 2009"
SNMPv2-SMI::enterprises.2620.1.1.4.0 = INTEGER: 228951
SNMPv2-SMI::enterprises.2620.1.1.5.0 = INTEGER: 0
SNMPv2-SMI::enterprises.2620.1.1.6.0 = INTEGER: 5047
SNMPv2-SMI::enterprises.2620.1.1.7.0 = INTEGER: 16975
SNMPv2-SMI::enterprises.2620.1.1.8.0 = INTEGER: 6
SNMPv2-SMI::enterprises.2620.1.1.9.0 = INTEGER: 2

That is obvious checkpoint information the *****'s represented the installed policy.

All is good with neither of the pass, or proxy settings.


Thanks,
Jeremy McCourt

[boldin]

So we have SNMP setup, presumably properly, on all our systems. Now, we've found that after reboot the net-SNMP service (161, not 260) does not start properly. We're on R65 HFA_02, most devices are UTMs, some are M-series.

Any ideas on how to make this persistent? Am I missing something simple?

Thanks,
-Boldin

[melipla]

Quote:

Originally Posted by boldin

So we have SNMP setup, presumably properly, on all our systems. Now, we've found that after reboot the net-SNMP service (161, not 260) does not start properly. We're on R65 HFA_02, most devices are UTMs, some are M-series.

Any ideas on how to make this persistent? Am I missing something simple?

Thanks,
-Boldin

You most likely missed this command:
chkconfig --level 345 snmpd on

You can verify it by using:
chkconfig --list snmpd

also verify your default runlevel by looking for the "initdefault" line--it will be the number after id:
cat /etc/inittab |grep initdefault


HTH

[boldin]

I went in and ran the command again, even though it was in the script. Now, we wait and see what happens when the power goes out again. It survived a controlled reboot, just like last time...

Thank you

[Felix001]

Great tips guys, went straight in and enabled it within a few minutes, without any problems...

Ive created this from the guides below which someone may find useful.....

Video Tutorial / How do I Enable Checkpoint SNMPD on SPLAT ??

Thanks......

[ravi_vm]

Hi,

Need urgent help to configure threshold value for Checkpoint SPLAT MIB/OID.

We are running 8 SPLAT R70.1 firewalls with cluster and 2 R70.1 SmartCenter Servers. Now we want to monitor all these firewalls through native snmp management(etc/snmp/snmpd.conf). I would like to configure the threshold value for some of the checkpoint MIB's. I have configured threshold values for file system , CPU and Memory as following OID's.

cp_monitor 1.3.6.1.4.1.2620.1.6.7.3.3.1 > 90 60 "/ > 10% used "
cp_monitor 1.3.6.1.4.1.2620.1.6.7.3.3.2 > 90 60 "/boot > 10% used "
cp_monitor 1.3.6.1.4.1.2620.1.6.7.3.3.3 > 90 60 "/opt > 10% used "
cp_monitor 1.3.6.1.4.1.2620.1.6.7.3.3.4 > 90 60 "/sysimg > 10% used "
cp_monitor 1.3.6.1.4.1.2620.1.6.7.3.3.5 > 90 60 "/var > 10% used "
cp_monitor 1.3.6.1.4.1.2620.1.6.7.1.4 > 20000 60 "memActiveReal "
cp_monitor 1.3.6.1.4.1.2620.1.6.7.1.5 > 20000 60 "memFreeReal "

but now i want to configure threshold value for following Checkpoint OID's , if any one knows or configured please guide me how can i accomplish this task for following MIB's.

fwModule State 1.3.6.1.4.1.2620.1.1.1
Dropped packets 1.3.6.1.4.1.2620.1.1.6
Rejected Packets In 1.3.6.1.4.1.2620.1.1.25.5.1.11
Rejected Packets Out 1.3.6.1.4.1.2620.1.1.25.5.1.12
Available Physical Memory 1.3.6.1.4.1.2620.1.1.26.2.2
Firewall Memory KB used 1.3.6.1.4.1.2620.1.1.26.2.4
fwSS-http-auth-failures 1.3.6.1.4.1.2620.1.1.26.9.1.17
cpvHwAccelStatus 1.3.6.1.4.1.2620.1.2.8.1.2
fwNumConn 1.3.6.1.4.1.2620.1.1.25.3
cpvIKENoResp 1.3.6.1.4.1.2620.1.2.9.2.2

haState 1.3.6.1.4.1.2620.1.5.6
haBlockState 1.3.6.1.4.1.2620.1.5.7
haWorkMode 1.3.6.1.4.1.2620.1.5.11
haStatus 1.3.6.1.4.1.2620.1.5.12.1.4
haProblemName 1.3.6.1.4.1.2620.1.5.13.1.2
haProblemStatus 1.3.6.1.4.1.2620.1.5.13.1.3
haProblemPriority 1.3.6.1.4.1.2620.1.5.13.1.4
haProblemVerified 1.3.6.1.4.1.2620.1.5.13.1.5
haProblemDescr 1.3.6.1.4.1.2620.1.5.13.1.6

memDiskTransfers 1.3.6.1.4.1.2620.1.6.7.1.7

procUsage 1.3.6.1.4.1.2620.1.6.7.2.4
procQueue 1.3.6.1.4.1.2620.1.6.7.2.5

diskTime 1.3.6.1.4.1.2620.1.6.7.3.1
diskPercent 1.3.6.1.4.1.2620.1.6.7.3.3
diskFreeTotal 1.3.6.1.4.1.2620.1.6.7.3.4
diskFreeAvail 1.3.6.1.4.1.2620.1.6.7.3.5

memActiveVirtual64 1.3.6.1.4.1.2620.1.6.7.4.2
memActiveREal64 1.3.6.1.4.1.2620.1.6.7.4.4
memFreeReal64 1.3.6.1.4.1.2620.1.6.7.4.5

mgActiveStatus 1.3.6.1.4.1.2620.1.7.5
mgFwmIsAlive 1.3.6.1.4.1.2620.1.7.6

wamStatsShortDescr 1.3.6.1.4.1.2620.1.8.102
wamStatLongDescr 1.3.6.1.4.1.2620.1.8.103

lsFwmIsAlive 1.3.6.1.4.1.2620.1.11.5
lsStatCode 1.3.6.1.4.1.2620.1.11.101
lsStatShortDescr 1.3.6.1.4.1.2620.1.11.102
lsStatLongDescr 1.3.6.1.4.1.2620.1.11.103
lsStatLongDescr 1.3.6.1.4.1.2620.1.11.103

Policy installed 1.3.6.1.4.1.2620.1.1.25.1.0

Thanks in advance.

Ravi

Quote:

Originally Posted by jmccourt

All,
Just to clear things up a bit, I've see a lot of people using:
pass 1.3.6.1.4.1.2620 127.0.0.1:260
or
proxy -v1 -c <community> 127.0.0.1:260 .1.3.6.1.4.1.2620

I remember using these in the past to combine Checkpoint SNMP and system SNMP to a single port (Great for those tools that don't allow you to use non standard ports for snmp queries).

It doesn't seem that either of these are needed now, is this because of the master agentx line?

without either of those lines, and just the master agentx entry in the snmpd.conf file I can do things like this.

snmpwalk -v2c -c <community> <ipaddress> 1.3.6.1.4.1.2620

>>
SNMPv2-SMI::enterprises.2620.1.1.1.0 = STRING: "Installed"
SNMPv2-SMI::enterprises.2620.1.1.2.0 = STRING: "*********"
SNMPv2-SMI::enterprises.2620.1.1.3.0 = STRING: "Thu Apr 16 17:44:21 2009"
SNMPv2-SMI::enterprises.2620.1.1.4.0 = INTEGER: 228951
SNMPv2-SMI::enterprises.2620.1.1.5.0 = INTEGER: 0
SNMPv2-SMI::enterprises.2620.1.1.6.0 = INTEGER: 5047
SNMPv2-SMI::enterprises.2620.1.1.7.0 = INTEGER: 16975
SNMPv2-SMI::enterprises.2620.1.1.8.0 = INTEGER: 6
SNMPv2-SMI::enterprises.2620.1.1.9.0 = INTEGER: 2

That is obvious checkpoint information the *****'s represented the installed policy.

All is good with neither of the pass, or proxy settings.


Thanks,
Jeremy McCourt