4 Replies Latest reply on Nov 29, 2018 8:08 AM by krishna mishra

    Checkpoint Chassis and VS snmp monitoring

    tbemus

      I am monitoring many Checkpoint physical firewalls via snmp.  I want to monitor the Checkpoint VS firewalls that are in our VSX Chassis firewalls.    Check Point provides a way to monitor them via the chassis IP and provide the VS number but I don't know if this would work with NPM.   Is this something currently done? 

       

      Here is the part of the Checkpoint Documentation.

       

      • Query VSX Gateway over SNMP - SNMP VS mode

        Show / Hide this section

         

        General
        information
        • Each Virtual Device has a separate SNMP daemon running in the context of that Virtual Device.
        • SNMP queries to SNMP daemons in the contexts of Virtual Devices must be sent in the following way:
          • sent using SNMP v3
          • sent to the IP address of Management interface on VSX Gateway / VSX Cluster member itself (context of VS0)
          • sent using exact Virtual Device context (otherwise, the answer is returned for the context of VS0)
        • To specify, which Virtual Device context should be queried, SNMP v3 contexts mechanism is used (see examples below).
        • SNMP v3 must be configured on VSX Gateway / each VSX Cluster member (refer to section "(II) SNMP configuration").
        Example diagram:
        1. Host (1) sends an SNMP query (2) to the IP address of the
          Management interface on VSX Gateway (3) / VSX Cluster member (3)
          using exact Virtual Device context (5)
        2. SNMP query is processed by the SNMP daemon running in the context of that Virtual Device (5)
        3. Virtual Device (5) sends an SNMP response (4)
        Notes
        • Check Point VSX OID Branch 1.3.6.1.4.1.2620.1.16 is available only in the context of VS0.
          The SNMP response contains the data from all configured Virtual Devices [Limitation ID 01453316].
        • SNMP OIDs other than VSX OID Branch 1.3.6.1.4.1.2620.1.16 can be queried per Virtual Device.
          The SNMP response contains the data only from the specific queried Virtual Device.
        • Only SNMP daemon running in the context of VS0 supports SNMP traps.
        ConfigurationNote: In cluster environment, this procedure must be performed on all members of the cluster.
        1. Create an SNMPv3 User:
          • Either configure authentication without privacy:HostName:0> add snmp usm user USERNAME security-level authNoPriv auth-pass-phrase PASSPHRASEHostName:0> set snmp usm user USERNAME <usm-read-only | usm-read-write>
          • Or configure authentication with privacy:HostName:0> add snmp usm user USERNAME security-level authPriv <auth-pass-phrase | privacy-pass-phrase> PASSPHRASEHostName:0> set snmp usm user USERNAME <usm-read-only | usm-read-write>
        2. Enable the SNMP Agent:HostName:0> set snmp agent on
        3. Configure the SNMP mode to 'VS':HostName:0> set snmp mode vs
        4. Set SNMP user permission to query any Virtual System:HostName:0> set snmp usm user USERNAME vsid all
        5. Save the changes in Gaia Database:HostName:0> save config
        6. Verify that relevant SNMP daemons are running:[Expert@HostName:0]# ps auxw | grep -v grep | grep -E "PID|snmp"Show / Hide example output
        Query specific
        Virtual Device
        • To query specific Virtual Device (not VS0), use SNMP v3 and specify the required Virtual Device context in the following format:[Expert@HostName:0]# snmpwalk -v3 -u SNMPv3_USER -l <authNoPriv | authPriv> -A PASSPHRASE -n ctxname_vsid<VSID_NUMBER> <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> <OID>Note: "ctxname_vsid<VSID_NUMBER>" is one word.Example - query for name of policy loaded on Virtual System 3:
          [Expert@HostName:0]# snmpwalk -v3 -u test_user -l authNoPriv -A testpass123 -n ctxname_vsid3 <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> 1.3.6.1.4.1.2620.1.1.25.1
        • To query only VS0, use the following formats:
          • SNMP v1:[Expert@HostName:0]# snmpwalk -v1 -c <community> <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> <OID>
          • SNMP v2c:[Expert@HostName:0]# snmpwalk -v2c -c <community> <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> <OID>
          • SNMP v3:[Expert@HostName:0]# snmpwalk -v3 -u <SNMPv3_USER_NAME> -l <authNoPriv | authPriv> -A <PASSPHRASE> <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> <OID>
          Examples:
          • Local query for name of policy loaded on VS0:[Expert@HostName:0]# snmpwalk -v 2c -c test_community <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> 1.3.6.1.4.1.2620.1.1.25.1
          • Local query for names of policies loaded on all Virtual-Devices:[Expert@HostName:0]# snmpwalk -v3 -u test_user -l authNoPriv -A testpass123 <IP_ADDRESS_OF_VSX_GATEWAY_ITSELF> .1.3.6.1.4.1.2620.1.16.22.1.1.6