Checkpoint Chassis and VS snmp monitoring
tbemus Oct 11, 2018 8:58 AMI am monitoring many Checkpoint physical firewalls via snmp. I want to monitor the Checkpoint VS firewalls that are in our VSX Chassis firewalls. Check Point provides a way to monitor them via the chassis IP and provide the VS number but I don't know if this would work with NPM. Is this something currently done?
Here is the part of the Checkpoint Documentation.
Query VSX Gateway over SNMP - SNMP VS mode
Show / Hide this sectionGeneral
information- Each Virtual Device has a separate SNMP daemon running in the context of that Virtual Device.
- SNMP queries to SNMP daemons in the contexts of Virtual Devices must be sent in the following way:
- sent using SNMP v3
- sent to the IP address of Management interface on VSX Gateway / VSX Cluster member itself (context of VS0)
- sent using exact Virtual Device context (otherwise, the answer is returned for the context of VS0)
- To specify, which Virtual Device context should be queried, SNMP v3 contexts mechanism is used (see examples below).
- SNMP v3 must be configured on VSX Gateway / each VSX Cluster member (refer to section "(II) SNMP configuration").
Notes - Check Point VSX OID Branch 1.3.6.1.4.1.2620.1.16 is available only in the context of VS0.
The SNMP response contains the data from all configured Virtual Devices [Limitation ID 01453316]. - SNMP OIDs other than VSX OID Branch 1.3.6.1.4.1.2620.1.16 can be queried per Virtual Device.
The SNMP response contains the data only from the specific queried Virtual Device. - Only SNMP daemon running in the context of VS0 supports SNMP traps.
Configuration Note: In cluster environment, this procedure must be performed on all members of the cluster. - Create an SNMPv3 User:
- Either configure authentication without privacy:
HostName:0> add snmp usm user USERNAME security-level authNoPriv auth-pass-phrase PASSPHRASE
HostName:0> set snmp usm user USERNAME <usm-read-only | usm-read-write>
- Or configure authentication with privacy:
HostName:0> add snmp usm user USERNAME security-level authPriv <auth-pass-phrase | privacy-pass-phrase> PASSPHRASE
HostName:0> set snmp usm user USERNAME <usm-read-only | usm-read-write>
- Either configure authentication without privacy:
- Enable the SNMP Agent:
HostName:0> set snmp agent on
- Configure the SNMP mode to 'VS':
HostName:0> set snmp mode vs
- Set SNMP user permission to query any Virtual System:
HostName:0> set snmp usm user USERNAME vsid all
- Save the changes in Gaia Database:
HostName:0> save config
- Verify that relevant SNMP daemons are running:
[Expert@HostName:0]# ps auxw | grep -v grep | grep -E "PID|snmp"
Show / Hide example output
Query specific
Virtual Device- To query specific Virtual Device (not VS0), use SNMP v3 and specify the required Virtual Device context in the following format:
[Expert@HostName:0]# snmpwalk -v3 -u SNMPv3_USER -l <authNoPriv | authPriv> -A PASSPHRASE -n ctxname_vsid<VSID_NUMBER> <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> <OID>
Note: "ctxname_vsid<VSID_NUMBER>
" is one word.Example - query for name of policy loaded on Virtual System 3:[Expert@HostName:0]# snmpwalk -v3 -u test_user -l authNoPriv -A testpass123 -n ctxname_vsid3 <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> 1.3.6.1.4.1.2620.1.1.25.1
- To query only VS0, use the following formats:
- SNMP v1:
[Expert@HostName:0]# snmpwalk -v1 -c <community> <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> <OID>
- SNMP v2c:
[Expert@HostName:0]# snmpwalk -v2c -c <community> <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> <OID>
- SNMP v3:
[Expert@HostName:0]# snmpwalk -v3 -u <SNMPv3_USER_NAME> -l <authNoPriv | authPriv> -A <PASSPHRASE> <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> <OID>
- Local query for name of policy loaded on VS0:
[Expert@HostName:0]# snmpwalk -v 2c -c test_community <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> 1.3.6.1.4.1.2620.1.1.25.1
- Local query for names of policies loaded on all Virtual-Devices:
[Expert@HostName:0]# snmpwalk -v3 -u test_user -l authNoPriv -A testpass123 <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> .1.3.6.1.4.1.2620.1.16.22.1.1.6
- SNMP v1: