4 Replies Latest reply on Nov 29, 2018 8:08 AM by krishna mishra

Checkpoint Chassis and VS snmp monitoring

tbemus Oct 11, 2018 8:58 AM

I am monitoring many Checkpoint physical firewalls via snmp. I want to monitor the Checkpoint VS firewalls that are in our VSX Chassis firewalls. Check Point provides a way to monitor them via the chassis IP and provide the VS number but I don't know if this would work with NPM. Is this something currently done?

Here is the part of the Checkpoint Documentation.

Query VSX Gateway over SNMP - SNMP VS mode

Show / Hide this section

General
information

Each Virtual Device has a separate SNMP daemon running in the context of that Virtual Device.
SNMP queries to SNMP daemons in the contexts of Virtual Devices must be sent in the following way:
- sent using SNMP v3
- sent to the IP address of Management interface on VSX Gateway / VSX Cluster member itself (context of VS0)
- sent using exact Virtual Device context (otherwise, the answer is returned for the context of VS0)
To specify, which Virtual Device context should be queried, SNMP v3 contexts mechanism is used (see examples below).
SNMP v3 must be configured on VSX Gateway / each VSX Cluster member (refer to section "(II) SNMP configuration").

Example diagram:

Host (1) sends an SNMP query (2) to the IP address of the
Management interface on VSX Gateway (3) / VSX Cluster member (3)
using exact Virtual Device context (5)
SNMP query is processed by the SNMP daemon running in the context of that Virtual Device (5)
Virtual Device (5) sends an SNMP response (4)

Notes

Check Point VSX OID Branch 1.3.6.1.4.1.2620.1.16 is available only in the context of VS0.
The SNMP response contains the data from all configured Virtual Devices [Limitation ID 01453316].
SNMP OIDs other than VSX OID Branch 1.3.6.1.4.1.2620.1.16 can be queried per Virtual Device.
The SNMP response contains the data only from the specific queried Virtual Device.
Only SNMP daemon running in the context of VS0 supports SNMP traps.

Configuration

Note: In cluster environment, this procedure must be performed on all members of the cluster.

Create an SNMPv3 User:
- Either configure authentication without privacy:HostName:0> add snmp usm user USERNAME security-level authNoPriv auth-pass-phrase PASSPHRASEHostName:0> set snmp usm user USERNAME <usm-read-only | usm-read-write>
- Or configure authentication with privacy:HostName:0> add snmp usm user USERNAME security-level authPriv <auth-pass-phrase | privacy-pass-phrase> PASSPHRASEHostName:0> set snmp usm user USERNAME <usm-read-only | usm-read-write>
Enable the SNMP Agent:HostName:0> set snmp agent on
Configure the SNMP mode to 'VS':HostName:0> set snmp mode vs
Set SNMP user permission to query any Virtual System:HostName:0> set snmp usm user USERNAME vsid all
Save the changes in Gaia Database:HostName:0> save config
Verify that relevant SNMP daemons are running:[Expert@HostName:0]# ps auxw | grep -v grep | grep -E "PID|snmp"Show / Hide example output

Query specific
Virtual Device

To query specific Virtual Device (not VS0), use SNMP v3 and specify the required Virtual Device context in the following format:[Expert@HostName:0]# snmpwalk -v3 -u SNMPv3_USER -l <authNoPriv | authPriv> -A PASSPHRASE -n ctxname_vsid<VSID_NUMBER> <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> <OID>Note: "ctxname_vsid<VSID_NUMBER>" is one word.Example - query for name of policy loaded on Virtual System 3:
[Expert@HostName:0]# snmpwalk -v3 -u test_user -l authNoPriv -A testpass123 -n ctxname_vsid3 <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> 1.3.6.1.4.1.2620.1.1.25.1
To query only VS0, use the following formats:
- SNMP v1:[Expert@HostName:0]# snmpwalk -v1 -c <community> <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> <OID>
- SNMP v2c:[Expert@HostName:0]# snmpwalk -v2c -c <community> <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> <OID>
- SNMP v3:[Expert@HostName:0]# snmpwalk -v3 -u <SNMPv3_USER_NAME> -l <authNoPriv | authPriv> -A <PASSPHRASE> <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> <OID>
Examples:
- Local query for name of policy loaded on VS0:[Expert@HostName:0]# snmpwalk -v 2c -c test_community <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> 1.3.6.1.4.1.2620.1.1.25.1
- Local query for names of policies loaded on all Virtual-Devices:[Expert@HostName:0]# snmpwalk -v3 -u test_user -l authNoPriv -A testpass123 <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> .1.3.6.1.4.1.2620.1.16.22.1.1.6

Re: Checkpoint Chassis and VS snmp monitoring

st.crispan Oct 31, 2018 1:20 PM (in response to tbemus)

Tony,

I found your post along with this one (How to monitor check point firewall using NPM ) while looking for a template to monitor my Checkpoints.

I notice that this one was posted after that one. That other one has a .poller file, which I haven't been able to figure out how to import yet. Any advice on how to use your .poller file?

In the meantime I have the MIB for R80.10, if you're interested.
Like (0)

Actions
- Re: Checkpoint Chassis and VS snmp monitoring
  
  tbemus Oct 31, 2018 1:41 PM (in response to st.crispan)
  
  I would love the one based on R80. Thanks.
  
  To import the .poller file
  go to All Settings -> Node and Group Management -> Manage Pollers.
  select import and select the file.
  assign it to the nodes you want.
  If the option is grayed out then Orion needs to scan the device to see if the OIDs match. Might take time to scan the nodes or they don't match. My poller file was created based on R77.30 and tested to work on R77.20, R77.10. It worked for a while on R75 but then stopped a week later.
  
  Like (0)
  
  Actions
  - Re: Checkpoint Chassis and VS snmp monitoring
    
    st.crispan Nov 2, 2018 3:56 PM (in response to tbemus)
    
    Here's the MIB. Enjoy.
    
    Thanks for the poller.
    
    R80_10_chkpnt.mib 383.3 KB
    
    Like (0)
    
    Actions
    - Re: Checkpoint Chassis and VS snmp monitoring
      
      krishna mishra Nov 29, 2018 8:08 AM (in response to st.crispan)
      
      thanks,
      
      how to use the MIB file in solarwinds to get the all OID,
      
      please suggest.
      
      thanks
      
      Like (0)
      
      Actions

Go to original post