PDA

View Full Version : Need help with SNMP trap



cciesec2006
2011-01-05, 23:04
This is what I have in my SPLAT NGx R71.20 firewall /etc/snmp/snmpd.conf file:

smuxpeer 1.3.6.1.4.1.4.3.1.4

trap2sink 192.168.1.1 cciesec2006
proc syslogd 1 1

cp_cleartrap 10 2
disk /var 20%
cp_monitor 1.3.6.1.2.1.2.2.1.8.1 == 2 10 "link 1 down"
cp_monitor 1.3.6.1.2.1.2.2.1.8.2 == 2 10 "link 2 down"
cp_monitor 1.3.6.1.2.1.2.2.1.8.3 == 2 10 "link 3 down"
cp_monitor 1.3.6.1.2.1.2.2.1.8.4 == 2 10 "link 4 down"
cp_monitor prErrorFlag.1 != "0" 60 "process monitor"
cp_monitor dskErrorFlag.1 != 0 60 "disk monitor"
cp_monitor 1.3.6.1.4.1.2021.10.1.5.1 > 5 5 "CPU load 1 min"
cp_monitor 1.3.6.1.4.1.2021.10.1.5.2 > 10 5 "CPU load 5 min"
cp_monitor 1.3.6.1.4.1.2021.4.4.0 < 2000 60 "memAvailSwap"
cp_monitor 1.3.6.1.4.1.2021.4.6.0 < 2000 60 "memAvailReal"
cp_monitor 1.3.6.1.4.1.2620.1.5.6.0 != "active" 20 "Cluster State"
cp_monitor 1.3.6.1.4.1.2620.1.1.25.3.0 > 50000 20 "Firewall connections"
cp_monitor 1.3.6.1.2.1.25.2.3.1.6.6 > 60000 60 "/opt hrStorageUsed"

I then performed "service snmpd restart".

After that, I purposely spiked the CPU upto 70% for over an hour, as confirmed in SmartView Monitor. However, using tcpdump on the firewall, I am not seeing the SPLAT firewall sending out a trap "tcpdump -nnnni eth0 port 162".

I even did "chkconfig snmpd on" and reboot the firewall, but no cigar. Btw, I have any any accept log on the firewall.

Anyone knows why?

bmolnar
2011-01-06, 12:55
Do you have the SNMP community specified in /etc/snmp/snmpd.users.conf ? When I was testing this in the lab several months ago, for some reason it only worked when using public as the community string. Once I changed it, it stopped working

cciesec2006
2011-01-06, 16:40
Do you have the SNMP community specified in /etc/snmp/snmpd.users.conf?

YES. I can perform snmp from my NMS to the firewall just fine. It is just that the firewall does NOT send out snmptrap to my receiver.

As a side notes, this shows how clueless CP TAC really is. The TAC engineer asked me to perform cpstop;cpstart and see if it resolves the issue. What in the world snmptrap has to do with doing disruptive cpstop;cpstart on the gateway?

northlandboy
2011-01-06, 17:55
I had problems with SNMP traps a while ago. I don't have an R71 box at hand - did they ever update the net-snmp package in R71?

http://www.cpug.org/forums/check-point-secureplatform-splat/10598-snmp-trap-splat-ngx-r65.html

cciesec2006
2011-01-06, 20:13
I had problems with SNMP traps a while ago. I don't have an R71 box at hand - did they ever update the net-snmp package in R71?

http://www.cpug.org/forums/check-point-secureplatform-splat/10598-snmp-trap-splat-ngx-r65.html

[Expert@lab-fw-1]# rpm -qa | grep net-
net-snmp-5.0.9-2.30.000000042cp
net-tools-1.60-21cp
telnet-0.17-20cp
[Expert@lab-fw-1]# fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) R71.20 - Build 025
[Expert@lab-fw-1]#

northlandboy
2011-01-06, 21:04
So it looks like it's still based on an old version of SNMP, and my guess is that it's still compiled without support for DISMAN-EVENT-MIB. Probably unlikely you can get SNMP traps working then.

Personally I prefer it when the management server polls, and makes its own decisions about raising alerts for specific conditions (i.e. CPU/memory/interface flap), but I do think it is something that you should be able to do.

Tell TAC to either get that stuff compiled in, or update the version of net-snmp.

cciesec2006
2011-01-07, 08:57
So it looks like it's still based on an old version of SNMP, and my guess is that it's still compiled without support for DISMAN-EVENT-MIB. Probably unlikely you can get SNMP traps working then.

Personally I prefer it when the management server polls, and makes its own decisions about raising alerts for specific conditions (i.e. CPU/memory/interface flap), but I do think it is something that you should be able to do.

Tell TAC to either get that stuff compiled in, or update the version of net-snmp.

don't want to sound like a broken record but shouldn't this be done by Checkpoint QA to make sure that things work as advertised as stated in the Administration Guide?

What a piece of crap!!!