SNMP Support

SNMP support is based on the Net-SNMP open source package, and provides the following features:

Support for full OS-MIB-II.
Monitoring of Check Point status Information (AMON) through SNMP.
SNMP V.2 and V.3 Support.

Configuring the SNMP Agent

For basic SNMP configuration use the snmp command in the restricted shell, as follows:

snmp service enable [<portnumber>]

snmp service stat

snmp service disable

snmp user add noauthuser <username> [oidbase <OID>]

snmp user add authuser <username> pass <passphrase> [priv

<privacyphrase>] [oidbase <OID>]

snmp user del [<username>]

snmp user show [<username>]

snmp Parameter	Description
`snmp service enable`	Starts SNMP agent daemon listening on the specified UDP port.
`snmp service disable`	Stops the SNMP agent daemon.
`snmp service stat`	The service status.
`snmp user`	Add an SNMP v3 user to the agent. Authentication and encryption passwords can be specified for the user. Additionally, the user's access can be restricted to the specified OID sub-tree.
`snmp user del`	Delete a user. SNMP v1 and v2 users can also be deleted using this command.
`snmp user show`	A list of existing users.
`snmp user show [<username>]`	The details of all users (or of the specified user): access level information and OID subtree restriction.

SNMP Monitoring

Introduction to SNMP Monitor

Hardware health sensors and RAID disks can be monitored using the SecurePlatform SNMP monitoring daemon. SNMP traps can be set to fire once an OID value is in breach of a configurable threshold. When the OID value is back within threshold boundaries a "clear" trap is sent.

The SNMP monitoring daemon snmpmonitor integrates with the default SecurePlatform net-snmp / Agentx components that are part of the standard SecurePlatform installation.

SNMP Monitor Configuration Guidelines

For each OID that you wish to monitor, a monitoring rule must be defined in the /etc/snmp/snmpd.conf file. The following parameters are required for each monitoring rule:

The OID to monitor.
A comparison operator: one of: !=, <, >, ==.
A threshold value: either an integer (not enclosed within double quotes "") or a string (enclosed within double quotes "").
A polling Interval (in seconds).
A message (e.g. "HA sync link 1 down", "Internet VLAN down", "Low REAL memory", etc.).

General configuration guidelines are:

All configuration is performed in the /etc/snmp/snmpd.conf file.
Double quotes are required for enclosing string values.
Single quotes are not supported for enclosing string values but may be used inside string values.
Lines that start with # are ignored.
All lines that do not start with snmp monitor daemon commands are ignored.

Commands used by SNMP Monitor

cp_monitor

The cp_monitor command defines a single monitoring rule.

 cp_monitor <OID> <Operator> <Threshold> <Frequency> <Message>

Once the expression <oid> <operator> <threshold> evaluates to true, traps are sent until the expression evaluates back to false. At that point one or more clear traps are sent to indicate that the OID value has fallen back within acceptable boundaries.

cp_monitorParameter	Description
`OID`	Use standard OID notation. OID types supported are: Integer, String.
`Operator`	For OIDs of type Integer: Use one of: !=,<,>,== For OIDs of type String: Use one of: !=, ==
`Threshold`	For OIDs of type Integer: an integer value For OIDs of type String: a string enclosed within double quotes ""
`Frequency`	Integer value representing polling interval in seconds. The daemon polls each monitored OID at the given interval. If a trap should fire it is then fired.
`Message`	A textual message to describe the trap (sent as part of the trap), must be enclosed within double quotes "".

Example:

 cp_monitor 1.3.6.1.4.1.2021.4.6.0 < 2000 5 "memAvailReal"

 cp_monitor 1.3.6.1.4.1.2620.1.5.6.0 != "active" 5 "Cluster State"

To verify correctness of OID used in a cp_monitor line make sure the equivalent snmpget command returns a value. For example, if attempting to configure the above example cp_monitor "memAvailReal" line, then the following snmpget command should return a value:

 "snmpget -v 2c -c public localhost 1.3.6.1.4.1.2021.4.6.0"

cp_cleartrap

The optional cp_cleartrap command can instruct the daemon about the number of clear traps to send and the interval between each. That is, once a rule's OID value falls back to being within configured threshold.

 cp_cleartrap <interval> <retries>

Default values are: 3 packets at 10 seconds intervals.

cp_clearup Parameter	Description
`Interval`	A number indicating time between clear trap packets, in seconds.
`Retries`	A number indicating number of clear trap packets to send.

trap2sink

The trap2sink command designates a host that receives traps.

 trap2sink <sink-server>[:<port>] <community>

The snmpmonitor daemon requires a trap2sink command to exist inside the /etc/snmp/snmpd.conf file. The trap2sink command is required (as opposed to the trapsink command) because the snmpmonitor daemon sends SNMP version 2c traps. Note this command is part of the net-snmp syntax.

trap_2_sink Parameter	Description
`sink-server`	A sink server for which traps are sent.
`port`	An optional (UDP) port number on which the server listens. The default is port 162.
`community`	An SNMP community

Example:

trap2sink 192.0.2.10 public

trap2sink 192.0.2.10:1610 MyCommunity

Configuring SNMP Monitoring and Traps

To configure SNMP monitoring and traps:

Edit the /etc/snmp/snmpd.conf configuration file and define the SNMP monitoring rules and the trap server.

The following is an example configuration file:

trap2sink 192.0.2.10 public

cp_cleartrap 10 2

proc syslogd 1 1

disk /var 20%

cp_monitor 1.3.6.1.2.1.2.2.1.8.1 == 2 60 "link 1 down"

cp_monitor prErrorFlag.1 != "0" 60 "process monitor"

cp_monitor dskErrorFlag.1 != 0 60 "disk monitor"

cp_monitor 1.3.6.1.4.1.2021.10.1.5.1 > 100 60 "CPU load 1 min"

cp_monitor 1.3.6.1.4.1.2021.10.1.5.2 > 90 60 "CPU load 5 min"

cp_monitor 1.3.6.1.4.1.2021.4.4.0 < 2000 60 "memAvailSwap"

cp_monitor 1.3.6.1.4.1.2021.4.6.0 < 2000 60 "memAvailReal"

cp_monitor 1.3.6.1.4.1.2620.1.5.6.0 != "active" 20 "Cluster State"

cp_monitor 1.3.6.1.4.1.2620.1.1.25.3.0 > 50000 20 "Firewall connections"

cp_monitor 1.3.6.1.2.1.25.2.3.1.6.6 > 60000 60 "/opt hrStorageUsed"

At the SecurePlatform command prompt, start the snmp service. Run:

snmp service enable

SNMP Monitoring Thresholds

This release lets you configure a variety of SNMP Thresholds that generate SNMP traps, or alerts. You can use the thresholds to monitor many system components automatically without requesting information from each object or device. The categories of thresholds that you can configure include:

Hardware
High Availability
Networking
Resources
Log Server Connectivity

Some categories apply only to some machines or deployments.

In each category are many individual thresholds that you can set. For example, the hardware category includes alerts for the state of the RAID disk, the state of the temperature sensor, the state of the fan speed sensor, and others. For each individual threshold, you can configure:

If it is enabled or disabled
How frequently alerts are sent
The severity of the alert
The threshold point (if necessary)
Where the alerts are sent to

You can also configure some settings globally, such as how often alerts are send and where they are sent to.

Types of Alerts

There are two different types of alerts:

Active alerts are sent when a threshold point is passed or the status of a monitored component is problematic.
Clear alerts are sent when the problem is resolved and the component has returned to its normal value. Clear alerts look like active alerts but the severity is set to 0.

Configuring SNMP Monitoring

Configure the SNMP monitoring thresholds in the command line of the Security Management server. When you install the policy on the gateways the SNMP monitoring thresholds are applied globally to all gateways.

Configuring in Multi-Domain Security Management

In a Multi-Domain Security Management environment, you can configure thresholds on the Multi-Domain Server and on each individual Domain Management Server. Thresholds that you configure on the Multi-Domain Server are for the Multi-Domain Server only. Thresholds that you configure for a Domain Management Server are for that Domain Management Server and its gateways. If a threshold applies to the Multi-Domain Server and the Domain Management Server gateways, set it on the Multi-Domain Server and Domain Management Server. However, in this situation you might only get alerts from the Multi-Domain Server if the threshold is passed.

For example, because the Multi-Domain Server and Domain Management Server are on the same machine, if the CPU threshold is passed, it applies to both of them. However, only the Multi-Domain Server generates alerts.

You can see the Multi-Domain Security Management level for each threshold with the threshold_config utility.

If the Multi-Domain Security Management level for a threshold is Multi-Domain Server, alerts are generated for the Multi-Domain Server when the threshold point is passed.
If the Multi-Domain Security Management level for a threshold is Multi-Domain Server, Domain Management Server, alerts are generated for the Multi-Domain Server and Domain Management Servers separately when the threshold point is passed.

Configuring a Local Gateway Policy

You can configure SNMP thresholds locally on a gateway with the same procedure that you do on a Security Management server. However, each time you install a policy on the gateway, the local settings are erased and it reverts to the global SNMP threshold settings.

You can use the threshold_config utility to save the configuration file and load it again later. Or you can manually back up the configuration file so that you can copy the configuration to the gateway again after you install the policy.

The configuration file that you can back up is: $FWDIR/conf/thresholds.conf

Configuration Procedures

There is one primary command to configure the thresholds in the command line, threshold_config. You must be in expert mode to run it. After you run threshold_config, follow the on-screen instructions to make selections and configure the global settings and each threshold.

When you run threshold_config, you get these options:

Show policy name - Shows you the name configured for the threshold policy.
Set policy name - Lets you set a name for the threshold policy.
Save policy- Lets you save the policy.
Save policy to file - Lets you export the policy to a file.
Load policy from file - Lets you import a threshold policy from a file.
Configure global alert settings - Lets you configure global settings for how frequently alerts are sent and how many alerts are sent.
Configure alert destinations - Lets you configure a location or locations where the SNMP alerts are sent.
View thresholds overview - Shows a list of all thresholds that you can set including: The category of the threshold, if it is active or disabled, the threshold point (if relevant), and a short description of what it monitors.
Configure thresholds - Open the list of threshold categories to let you select thresholds to configure.

Configure Global Alert Settings

If you select Configure global alert settings, you can configure global settings for how frequently alerts are sent and how many alerts are sent. You can also configure these settings for each threshold. If a threshold does not have its own alert settings, it uses the global settings by default.

You can configure these options:

Enter Alert Repetitions - How many alerts will be sent when an active alert is triggered. If you enter 0, alerts will be sent until the problem is fixed.
Enter Alert Repetitions Delay - How long the system waits between sending active alerts.
Enter Clear Alert Repetitions - How many clear alerts will be sent after a threshold returns to a normal value.
Enter Clear Alert Repetitions Delay - How long the system waits between sending clear alerts.

Configure Alert Destinations

If you select Configure Alert Destinations, you can add and remove destinations for where the alerts are sent. You can also see a list of the configured destinations. A destination is usually an NMS (Network Management System) or a Check Point log server.

After entering the details for a destination, the CLI asks if the destination should apply to all thresholds.

If you enter yes, alerts for all thresholds are sent to that destination, unless you remove the destination from an individual threshold.
If you enter no, no alerts are sent to that destination by default. However, for each individual threshold, you can configure the destinations and you can add destinations that were not applied to all thresholds.

For each threshold, you can choose to which of the alert destinations its alerts are sent. If you do not define alert destination settings for a threshold, it sends alerts to all of the destinations that you applied to all thresholds.

For each alert destination enter:

Name - An identifying name.
IP - The IP address of the destination.
Port - Through which port it is accessed
Ver - the version on SNMP that it uses
Other data- Some versions of SNMP require more data. Enter the data that is supplied for that SNMP version.

Configure Thresholds

If you select Configure thresholds, you see a list of the categories of thresholds, including:

Hardware
High Availability
Networking
Resources
Log Server Connectivity

Some categories apply only to some machines or deployments. For example, Hardware applies only to Check Point appliances and High Availability applies only to clusters or high availability deployments.

Select a category to see the thresholds in it. Each threshold can have these options:

Enable/Disable Threshold - If the threshold is enabled, the system sends alerts when there is a problem. If it is disabled it does not generate alerts.
Set Severity - You can give each threshold a severity setting. The options are: Low, Medium, High, and Critical. The severity level shows in the alerts and in SmartView Monitor and lets you know quickly how important the alert is.
Set Repetitions - Set how frequently and how many alerts will be sent when the threshold is passed. If you do not configure this, it uses the global alert settings.
Set Threshold Point - Enter the value that will cause active alerts when it is passed. Enter the number only, without a unit of measurement.
Configure Alert Destinations - See all of the configured alert destinations. By default, active alerts and clear alerts are sent to the destinations. You can change this for each destination. Select the destination and you see these options:
- Remove from destinations - If you select this, alerts for this threshold are not sent to the selected destination.
- Add a destination - If you configured a destination in the global alert destinations but did not apply it to all thresholds, you can add it to the threshold.
- Disable clear alerts - If you select this, clear alerts for this threshold are not sent to the selected destination. Active alerts are sent.

Completing the Configuration

To complete threshold configuration and activate the settings:

On the Security Management server, install the policy on all gateways.
For a local gateway threshold policy or a Multi-Domain Security Management Multi-Domain Server environment, restart the CPD process using the cpwd_admin utility:
1. Run: cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
2. Run: cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"

Monitoring SNMP Thresholds

You can see an overview of the SNMP thresholds that you configure in SmartView Monitor.

To see an overview of the SNMP thresholds:

Open SmartView Monitor and select a gateway.
In the summary of the gateway data that open in the bottom pane, click System Information.
In the new pane that opens, click Thresholds.
In the pane that opens, you can see these details:

General Info - A summary of the total SNMP Threshold policy.
- Policy name- The name that you set for the policy in the CLI.
- State - If the policy is enabled or disabled.
- Thresholds - How many thresholds are enabled.
- Active events - How many thresholds are currently sending alerts.
- Generated Events - How many thresholds went from not active to active since the policy was installed.
Active Events- Details for the thresholds that are currently sending alerts.
- Name - The name of the alert (given in the CLI)
- Category - The category of the alert (given in the CLI), for example, Hardware or Resources.
- MIB object - The name of the object as recorded in the MIB file.
- MIB object's value - The value of the object when the threshold became active, as recorded in the MIB file.
- State - The current state of the object, either active or clearing (passed the threshold but is returning to normal value.
- Severity - The severity of that threshold, as you configured for it in the CLI.
- Activation time - When the alert was first sent.
Alert Destinations - A list of the destinations that alerts are sent to.
- Name - The name of the location.
- Type - The type of location, for example, a log server or NMS.
- State - If logs are being sent from the gateway or Security Management server to the destination machine.
- Alert Count - How many alerts were sent to the destination from when the policy was started.
Errors - Shows thresholds that cannot be monitored. For example, the gateway cannot monitor RAID sensors on a machine that does not have RAID sensors. Therefore it will show an error for the RAID Sensor Threshold.
- Threshold Name - The name of the threshold with an error.
- Error - A description of the error.
- Time of Error - When the error first occurred.

Top of Page

Download Complete PDF

Send Feedback