CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: Monitoring IPSec VPN tunnels with CheckPoint OIDs on GAiA R75.46

  1. #1
    Join Date
    2013-04-11
    Location
    France
    Posts
    10
    Rep Power
    0

    Default Monitoring IPSec VPN tunnels with CheckPoint OIDs on GAiA R75.46

    Hi,

    We've been trying to monitor IPSec VPN tunnels on our R75.46/GAiA gateway using OIDs given in CheckPoint MIB file (in $CPDIR/lib/snmp/chkpnt.mib) without succeeding.

    Several OID are already used by our monitoring servers (Nagios and PRTG) to get different system information about the gateway (which is working great regardless the SNMP version used). We only use Read-Only GET requests from our monitoring servers (we don't use traps either).

    Requesting "usual" CheckPoint OID works great, for instance, HA cluster state of the gateway:
    Code:
    snmpget -v 3 -u rouser -a MD5 -A ***** -x DES -X ***** -l authPriv 127.0.0.1 1.3.6.1.4.1.2620.1.5.6.0
    iso.3.6.1.4.1.2620.1.5.6.0 = STRING: "active"
    But as soon as I try with the following OIDs, it doesn't work:
    Attachment 776
    I used MIB Brower, appened the chkpnt.mib file I got in $CPDIR/lib/snmp/.

    Code:
    snmpget -v 3 -u rouser -a MD5 -A ***** -x DES -X ***** -l authPriv 127.0.0.1 .1.3.6.1.4.1.2620.500.9002.1.1
    iso.3.6.1.4.1.2620.500.9002.1.1 = No Such Instance currently exists at this OID
    
    snmpget -v 3 -u rouser -a MD5 -A ***** -x DES -X ***** -l authPriv 127.0.0.1 .1.3.6.1.4.1.2620.500.9002.1.1.0
    iso.3.6.1.4.1.2620.500.9002.1.1.0 = No Such Instance currently exists at this OID
    Code:
    snmptable -v 3 -u rouser -a MD5 -A ***** -x DES -X ***** -l authPriv 127.0.0.1 .1.3.6.1.4.1.2620.500.9002.1.1
    Was that a table? iso.3.6.1.4.1.2620.500.9002.1.1
    I'm pretty sure it has something to do with the information we are trying to get being inside an SNMP table, not a usual String or Numerical value. I found several resources on the internet saying that I need to specify columns/row indexes, but I'm not able to print the table to do so.

    I randomly tried something like this:
    Code:
    snmptable -v 3 -u rouser -a MD5 -A ***** -x DES -X ***** -l authPriv 127.0.0.1 .1.3.6.1.4.1.2620.500.9002.1.1.198.18.0.42
    Was that a table? iso.3.6.1.4.1.2620.500.9002.1.1
    
    snmpget -v 3 -u rouser -a MD5 -A ***** -x DES -X ***** -l authPriv 127.0.0.1 .1.3.6.1.4.1.2620.500.9002.1.1.198.18.0.42
    iso.3.6.1.4.1.2620.500.9002.1.1.198.18.0.42 = No Such Instance currently exists at this OID
    .1.3.6.1.4.1.2620.500.9002.1.1 being the tunnelPeerIpAddr OID
    198.18.0.42 being the IP address of the remote VPN gateway.

    Does anyone know how to get the table values?

  2. #2
    Join Date
    2009-09-25
    Location
    Tallinn, Estonia
    Posts
    6
    Rep Power
    0

    Default Re: Monitoring IPSec VPN tunnels with CheckPoint OIDs on GAiA R75.46

    In the below samples, the gateway 16.0.1.11 has two vpn peers - 16.0.1.12 and 16.0.1.13.

    First, get the list of VPN peers defined on a gateway:
    snmpwalk -v 1 -c public -On 16.0.1.11 .1.3.6.1.4.1.2620.500.9002.1.1
    .1.3.6.1.4.1.2620.500.9003.1.1.16.0.1.12.0 = ipAddress: 16.0.1.12
    .1.3.6.1.4.1.2620.500.9003.1.1.16.0.1.13.0 = ipAddress: 16.0.1.13


    Then you can get properties for a certain VPN tunnel, for example tunnel state:
    snmpget -v 1 -c public -On 16.0.1.11 .1.3.6.1.4.1.2620.500.9002.1.3.16.0.1.13.0
    .1.3.6.1.4.1.2620.500.9002.1.3.16.0.1.13.0 = INTEGER: 3


    OID for a specific parameter is .1.3.6.1.4.1.2620.500.9002.1.#.{peer-ip-addr}.0 where # identifies parameter:
    2 peer gw name
    3 tunnel state (3=active, 4=destroy, 129=idle, 130=phase1, 131=down, 132=init, see SK63663)
    4 vpn community name
    7 self gw addr
    11 tunnel type (1=regular, 2=permanent)

    You can also walk the whole table of tunnel properties (all tunnels included):
    snmpwalk -v 1 -c public -On 16.0.1.11 .1.3.6.1.4.1.2620.500.9002.1
    .1.3.6.1.4.1.2620.500.9002.1.2.16.0.1.12.0 = STRING: "gw2.cptest20140113.local"
    .1.3.6.1.4.1.2620.500.9002.1.2.16.0.1.13.0 = STRING: "gw3.cptest20140113.local"
    .1.3.6.1.4.1.2620.500.9002.1.3.16.0.1.12.0 = INTEGER: 3
    .1.3.6.1.4.1.2620.500.9002.1.3.16.0.1.13.0 = INTEGER: 3
    .1.3.6.1.4.1.2620.500.9002.1.4.16.0.1.12.0 = STRING: "vpn-1-2"
    .1.3.6.1.4.1.2620.500.9002.1.4.16.0.1.13.0 = STRING: "vpn-1-3"
    .1.3.6.1.4.1.2620.500.9002.1.5.16.0.1.12.0 = INTEGER: 0
    .1.3.6.1.4.1.2620.500.9002.1.5.16.0.1.13.0 = INTEGER: 0
    .1.3.6.1.4.1.2620.500.9002.1.6.16.0.1.12.0 = ""
    .1.3.6.1.4.1.2620.500.9002.1.6.16.0.1.13.0 = ""
    .1.3.6.1.4.1.2620.500.9002.1.7.16.0.1.12.0 = ipAddress: 16.0.1.11
    .1.3.6.1.4.1.2620.500.9002.1.7.16.0.1.13.0 = ipAddress: 16.0.1.11
    .1.3.6.1.4.1.2620.500.9002.1.8.16.0.1.12.0 = INTEGER: 0
    .1.3.6.1.4.1.2620.500.9002.1.8.16.0.1.13.0 = INTEGER: 0
    .1.3.6.1.4.1.2620.500.9002.1.9.16.0.1.12.0 = INTEGER: 0
    .1.3.6.1.4.1.2620.500.9002.1.9.16.0.1.13.0 = INTEGER: 0
    .1.3.6.1.4.1.2620.500.9002.1.10.16.0.1.12.0 = INTEGER: 1
    .1.3.6.1.4.1.2620.500.9002.1.10.16.0.1.13.0 = INTEGER: 1
    .1.3.6.1.4.1.2620.500.9002.1.11.16.0.1.12.0 = INTEGER: 2
    .1.3.6.1.4.1.2620.500.9002.1.11.16.0.1.13.0 = INTEGER: 2
    .1.3.6.1.4.1.2620.500.9002.1.12.16.0.1.12.0 = INTEGER: 0
    .1.3.6.1.4.1.2620.500.9002.1.12.16.0.1.13.0 = INTEGER: 0
    .1.3.6.1.4.1.2620.500.9002.1.13.16.0.1.12.0 = ""
    .1.3.6.1.4.1.2620.500.9002.1.13.16.0.1.13.0 = ""


    You cannot walk the properties table for a single tunnel, if you have many defined.

    If you have permanent tunnels defined, additional table 9003 is filled with identical data for each permanent tunnel.

    R75.45
    Cheers
    -tarmo-

    CCSE, F5-CA, F5-CTS-LTM, CCSE Plus, CCSP, NCSP

  3. #3
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    9

    Default Re: Monitoring IPSec VPN tunnels with CheckPoint OIDs on GAiA R75.46

    Chakapoint did you achieve the result? I tried everything but got the same error here.

  4. #4
    Join Date
    2013-04-11
    Location
    France
    Posts
    10
    Rep Power
    0

    Default Re: Monitoring IPSec VPN tunnels with CheckPoint OIDs on GAiA R75.46

    I see the topic got a lot of views so I guess I should provide the solution (better late than never, sorry for the very late reply).

    These OID branch was disabled in R75.46. The solution was to install a hotfix provided by Check Point TAC support.

    Later, we upgraded the GW to R77.10 and got the same issue. Again, the solution was to install a R77.10 Jumbo Fix.

    Once the branch is available, please refer to momrat's instructions to use the OIDs.

  5. #5
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    9

    Default Re: Monitoring IPSec VPN tunnels with CheckPoint OIDs on GAiA R75.46

    Quote Originally Posted by chakapoint View Post
    I see the topic got a lot of views so I guess I should provide the solution (better late than never, sorry for the very late reply).

    These OID branch was disabled in R75.46. The solution was to install a hotfix provided by Check Point TAC support.

    Later, we upgraded the GW to R77.10 and got the same issue. Again, the solution was to install a R77.10 Jumbo Fix.

    Once the branch is available, please refer to momrat's instructions to use the OIDs.
    Chakapoint, thanks for the solution.

    One question that I have and I use PRTG too, if I configure this and install the hotfix, can I monitor if the tunnel is up or down? If yes, I can integrate this to PRTG and if the tunnel is down, pause all the sensors.

  6. #6
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    7

    Default Re: Monitoring IPSec VPN tunnels with CheckPoint OIDs on GAiA R75.46

    I am also trying to monitor tunnel status on IPSO appliances using Solarwind.

    So far I receive no results when querying for that OID, but I am positive I will make it work. Meanwhile I have found this sk63663
    https://supportcenter.checkpoint.com...tionid=sk63663

    I will get back with an update

Similar Threads

  1. Cpu spikes on GAIA R75.46
    By tatapoum in forum Firewall Blade
    Replies: 3
    Last Post: 2013-09-09, 04:52
  2. Replies: 2
    Last Post: 2013-06-11, 17:09
  3. Replies: 2
    Last Post: 2013-05-28, 01:34
  4. snapshot and revert in GAIA R75.46
    By cciesec2006 in forum Miscellaneous
    Replies: 0
    Last Post: 2013-03-29, 21:25
  5. Upgrade to R75.45 GAIA after R75.46 release.
    By alienbaby in forum R75.40 (GAiA)
    Replies: 5
    Last Post: 2013-02-28, 15:21

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •