CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 8 of 8

Thread: How To Enable SNMP on SPLAT

  1. #1
    Join Date
    2008-11-23
    Location
    Atlanta, GA
    Posts
    542
    Rep Power
    11

    Default How To Enable SNMP on SPLAT

    Let me be the first to "jump in."

    This is the procedure we use to enable SNMP on Check Point SecurePlatform (SPLAT).

    1. ssh to the firewall and switch to expert mode.
    2. verify the Check Point SNMP extension is disabled by going to cpconfig > SNMP Extension (disable if necessary).
    3. Configure the snmp daemon.
    Code:
    vi /etc/snmp/snmpd.conf
    - scroll past the "Master Agentx" line and start a new line ('a' to "append").
    - add the following lines in the format of rocommunity_community_string_IPaddress:
    Code:
    rocommunity public 10.10.10.10
    rwcommunity private 10.10.10.10
    - edit the "syslocation" and "syscontact" lines to describe the firewall:
    Code:
    syslocation "Anchorage Gateway"
    syscontact "SOC Firewall Team - 1-800-382-5968
    - save and exit the file (shift zz)
    4. Make the snmpd daemon persistent across reboots:
    Code:
    chkconfig -add snmpd
    chkconfig --level 3 snmpd on
    chkconfig --level 4 snmpd on
    chkconfig --level 5 snmpd on
    5. Remove defaults (please don't use "public" or "private" as your strings)
    Code:
    snmp user del public
    snmp user del private
    6. Configure Check Point SNMP
    Code:
    vi $FWDIR/conf/snmp.C
    - it should look like this when you are done:
    Code:
    (
           : (
                   : (system.sysName.0
                           :value (Anchorage_GW)
                   )
                   : (system.sysDescr.0
                           :value ("Linux i386 vEL.3.0 Check Point FireWall-1 SecurePlatform")
                   )
                   : (system.sysContact.0
                           :value ("SOC Firewall Team - 1-800-382-5968")
                   )
                   : (system.sysLocation.0
                           :value ("Anchorage Gateway")
                   )
                   : (system.sysObjectID.0
                           :value (".1.3.6.1.4.1.2620.1.1")
                   )
           )
           :snmp_community (
                   :read (ro_string)
                   :write (rw_string)
           )
    7. Enable SNMP
    Code:
    snmp service enable 161
    8. Verify it's running on correct port:
    Code:
    netstat -an|grep 161
    OR
    Code:
    snmp service stat
    (correct response should say enabled and listening on port 161)
    9. Enable Check Point SNMP
    - cpconfig > SNMP Extension > Y to enable > Exit (do the cprestart during next maintenance window)


    While I haven't verified this on R70 and above, this is what worked for us for our R65 monitoring project.

    Another set of good ideas:
    While I'm in here, another good idea is to setup core dump file generation - it's quick, easy and useful when needed (although I haven't had the "opportunity" to test/use it yet). Be sure to do a cprestart or reboot when you are done with the below commands, but that's required for the above as well so I'm sure you can do everything listed here and then reboot at the end of it all.
    1. Setup Core Dump File Generation.
    Code:
    ulimit -c 2048
    um_core enable
    2. Modify the pre-authenticated SSH session inactivity timeout:
    Code:
    vi /etc/ssh/sshd_config
    - Remove the '#' from the beginning of the line that says "LoginGraceTime 120"
    - Change "120" to "60"
    - Press <ESC> and then Shift-ZZ to save and quit.
    3. Force SSHv2
    Code:
    vi /etc/ssh/sshd_config
    - Ensure the line "Protocol 2" is uncommented (remove the '#')
    - Press <ESC> and then Shift-ZZ to save and quit.
    Code:
    service sshd restart
    4. Setup a Banner
    Code:
    cd /etc
    vi banner
    <ENTER BANNER HERE>
    You'll also need to modify sshd_config:
    Code:
    vi /etc/ssh/sshd_config
    Scroll to the line that says "#Banner /some/path" and remove the "#". Then, replace "/some/path" with "/etc/banner" and the <ESC> and <SHIFT> ZZ to save and exit. Restart the sshd service.
    Code:
    service sshd restart
    5. Modify the idle timeout.
    Code:
    cd /etc/rc.d
    cp rc.local rc.local.bak
    chmod 777 rc.local
    vi rc.local
    <A to Append after the line beginning with "touch">
    idle 5
    <ESC>
    <SHIFT ZZ>
    chmod 555 rc.local
    exit
    idle 5
    6. Add WinSCP user
    Code:
    expert
    adduser winscp
    <password>
    <confirm_password>
    cd /etc
    vi passwd
    <modify the line beginning with "winscp" to the following>
    winscp:x:0:0::/home/winscp:/bin/bash
    Escape and wq! to "write and quit"

    I know it's a lot, but IMO it's some very good initial setup ideas.

    Hope this helps!
    Last edited by boldin; 2011-02-23 at 09:50. Reason: add other initial setup stuff (other than SNMP)
    - boldin
    CISSP
    CCSE/R65

  2. #2
    Join Date
    2009-04-14
    Location
    Ohio
    Posts
    405
    Rep Power
    11

    Default Re: How To Enable SNMP on SPLAT

    Quote Originally Posted by boldin View Post
    Another set of good ideas:
    While I'm in here, another good idea is to setup core dump file generation - it's quick, easy and useful when needed (although I haven't had the "opportunity" to test/use it yet). Be sure to do a cprestart or reboot when you are done with the below commands, but that's required for the above as well so I'm sure you can do everything listed here and then reboot at the end of it all.
    1. Setup Core Dump File Generation.
    Code:
    ulimit -c 2048
    um_core enable
    Just as an FYI, the 2048 refers to the maximum number of "blocks" to allow for core files that are created. On my server, blocks are 4096kb each, but your server may vary. To find out what the block size is for your server, run
    Code:
    tune2fs -l /dev/device_name_of_root_partition
    If you don't know the device name of your root partition, run the mount command. I lowered my ulimit setting to 512 since the block sizes on my server were larger than I originally anticipated.

  3. #3
    Join Date
    2008-11-23
    Location
    Atlanta, GA
    Posts
    542
    Rep Power
    11

    Default Re: How To Enable SNMP on SPLAT

    Thanks - I always thought that was a size in Kb...
    - boldin
    CISSP
    CCSE/R65

  4. #4
    Join Date
    2006-11-21
    Location
    Michigan
    Posts
    70
    Rep Power
    13

    Default Re: How To Enable SNMP on SPLAT

    Quote Originally Posted by boldin View Post
    Let me be the first to "jump in."
    ...
    Hope this helps!
    Big Time did this help!!

    Just to let you know I am plagiarizing this post into my own docs. This is making my Solarwinds monitoring of my SPLAT boxes much easier.

    BTW: Your royalty check is in the mail ;)

  5. #5
    Join Date
    2007-08-15
    Location
    NL
    Posts
    38
    Rep Power
    0

    Default Re: How To Enable SNMP on SPLAT

    Supergreat!
    This has been on my "to-do tasks" list for a while now.

    Wim

  6. #6
    Join Date
    2008-06-03
    Posts
    40
    Rep Power
    0

    Default Re: How To Enable SNMP on SPLAT

    Which process does enabling SNMP through cpconfig start? I was able to get away without a service break by enabling SNMP with just "service snmpd start". Traps get sent and snmpget also replies correctly to both SPLAT and Check Point MIB queries.

    Check Point MIB replies don't survive reboot, but "service snmpd restart" in rc.local fixes it.

  7. #7
    Join Date
    2012-09-03
    Posts
    15
    Rep Power
    0

    Default Re: How To Enable SNMP on SPLAT

    Nice walkthrough, thanks. However I have a couple of issues.

    Firstly on my primary box when I ran:
    snmp service stat

    I got

    /usr/sbin/snmp: line 77: /etc/sysconfig/snmpd: No such file or directory

    Running the same steps on my secondary box went through just fine.

    Also, my colleague running the monitoring server has asked me to enable SNMPv2 on the box, rather than v1. I can't find anywhere to enable one over the other, is there a way?

    I'm running R75.30 on both boxes in a HA cluster.
    Last edited by Andim; 2012-09-20 at 11:40.

  8. #8
    Join Date
    2011-01-31
    Posts
    8
    Rep Power
    0

    Default Re: How To Enable SNMP on SPLAT

    Hi,
    unfortunately my costumer don't have the expert password (OMG!), there is a workaround for enable snmp on splat?

    Thanks a lot

Similar Threads

  1. SNMP on linux-based CP gateway - how to enable?
    By Ivan.wwwcom.ru in forum SNMP
    Replies: 2
    Last Post: 2010-12-28, 08:33
  2. How to enable FTP on SPLAT?
    By msjouw in forum Check Point SecurePlatform (SPLAT)
    Replies: 1
    Last Post: 2010-08-31, 10:32
  3. How To: Enable SCP on a SPLAT Gateway
    By lammbo in forum SCP (Secure Copy For Linux/SecurePlatform/IPSO)
    Replies: 17
    Last Post: 2010-04-07, 20:30
  4. How to enable SPLAT to run as a NTP Server
    By mark.edwards in forum Check Point SecurePlatform (SPLAT)
    Replies: 4
    Last Post: 2009-12-28, 22:30
  5. I need to enable RIPv2 on SPLAT PRO
    By EdinburghKev in forum Check Point SecurePlatform (SPLAT)
    Replies: 2
    Last Post: 2006-11-29, 07:29

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •