Print Download PDF Send Feedback

Previous

Next

System Management

In This Section:

Time

Cloning Groups

SNMP

Job Scheduler

Mail Notification

Messages

Session

Core Dumps

System Configuration

System Logging

Network Access

Configuring the WebUI Web server

Host Access

This chapter includes procedures and reference information for system management tasks.

Time

All Security Gateways, Security Management Servers and cluster members must synchronize their system clocks. This is important for these reasons:

You can use these methods to set the system date and time:

Network Time Protocol (NTP)

Network Time Protocol (NTP) is an Internet standard protocol used to synchronize the clocks of computers in a network to the millisecond.

NTP runs as a background client program on a client computer. It sends periodic time requests to specified servers to synchronize the client computer clock. We recommend that you configure more than one NTP server for redundancy.

Setting the Time and Date - WebUI

To set time and date automatically using NTP:

  1. In the WebUI tree, click System Management > Time.
  2. Click Set Time and Date.
  3. In the Time and Date Settings window, select Set Time and Date automatically using Network Time Protocol (NTP).
  4. Enter the URL or IP address of the primary and (optionally) secondary NTP servers.
  5. Select the NTP version for the applicable server.
  6. Click OK.

To set the system time and date:

  1. In the tree view, click System Management > Time.
  2. Click Set Time and Date.
  3. Enter the time and date in the applicable fields.
  4. Click OK.

To set the time zone:

  1. In the tree view, click System Management > Time.
  2. Click Set time Zone and select the time zone from the list.
  3. Click OK.

Configuring NTP - CLI (ntp)

NTP

Description

Use this command to configure and troubleshoot the Network Time Protocol (NTP).

Syntax

To monitor and troubleshoot your NTP implementation:

show ntp active
show ntp current
show ntp servers
 

To add a new NTP server:

set ntp active [On|Off]
set ntp server primary VALUE version VALUE
set ntp server secondary VALUE version VALUE

To delete an NTP server:

delete ntp server <IP>
 

Parameters

Parameter

Description

active

Shows the active NTP server or Enables or disables NTP. Valid values are On or Off.

current

Shows the host name or IP address of the NTP server you are using now.

primary

Set the host name or IP address of the primary NTP server.

secondary

The host name or IP address of the secondary NTP server.

version

The version number of the NTP server (from 1 to 4).

server

Keyword that identifies the NTP server.

 

Example

show ntp servers

Output

 
IP Address               Type              Version
pool.ntp.org             Primary           4

 

Comments

Server-Specifies the host name or IP address of the time server from which your system synchronizes its clock. The specified time server does not synchronize to the local clock of your system.

Version-The version number Specifies which version of NTP to run. Best Practice - Check Point recommends that you run version 3.

Showing the Time & Date - CLI (clock)

Clock

Description

Show current system date and time

Syntax

show clock

Parameters

Parameter

Description

clock

The current system day, date, and time. The current system time is in HH:MM:SS format.

 

Example

show clock

Output

Thu Oct 6 15:20:00 2011 IST

 

Setting the Date - CLI (date)

Date

Description

Set the system date

Syntax

set date <date>

show date

 

Parameters

Parameter

Description

<date>

The date in the YYYY-MM-DD format.

 

Example

set date 2012-08-10

Setting the Time - CLI (Time)

Time

Description

Set the system time in HH:MM:SS format

Syntax

set time <time of day>

show time

 

Parameters

Parameter

Description

<time of day>

The current system time in HH:MM:SS format

 

Example

show time

Output

12:03:54

 

Setting the Time Zone - CLI (timezone)

Time Zone

Description

Show and Set the system time zone.

Syntax

 
set timezone <Area> / <Region>

Note: The spaces before and after the '/' character are important.

 
show timezone
 

Parameters

Parameter

Description

<Area>

Continent or geographic area.

Valid values:

Africa, America, Antarctica, Asia, Atlantic, Australia, Europe, Indian, Pacific

<Region>

Region within the specified area.

 

Example

set timezone America / Detroit

Cloning Groups

A Cloning Group is a collection of Gaia gateways that synchronize their OS configurations and settings for a number of these shared features:

A configuration change in one of the members is automatically propagated to other members. This is useful in ClusterXL. If the ClusterXL members are also members of a Cloning Group, static routes can be synchronized.

You can:

Important: Synchronization between members of a Cloning Group requires TCP Port 1129 to be open and communication through the port allowed by the firewall. When the gateways are part of a cluster in SmartDashboard, an implied rule in the rule base allows this connection. When the gateways are not part of the same Cluster, the implied rule does not apply. If the gateways are not part of the same cluster object in SmartDashboard, make sure there is a rule that allows connections on TCP port 1129.

Configuring Cloning Groups - WebUI

Cloning Groups are configured from the gateway WebUI.

To create a new Cloning Group:

  1. Open the Gaia gateway WebUI.
  2. In System Management > Cloning Group, click Start Cloning Group Creation Wizard.

    The Cloning Group Creation Wizard opens.

  3. Select Create a new Cloning Group.

    The New Gaia Cloning Group window opens.

    • Enter a name for the Cloning Group
    • Select an IP address for synchronizing settings between member gateways. Select an address on a secure internal network.
    • Enter a password for the administration account (cadmin). This password is necessary to:
      • Manage the Cloning Group
      • Add other gateways to the Cloning Group
      • Create encrypted traffic between members of the Cloning Group
  4. In the Shared Features screen, select features to clone to other members of the group.

    Pay attention to which features you want to clone. For example, you might not want to clone static routes to gateways that are members of a cluster.

  5. Click Next for the Wizard Summary and then click Finish.

To manage the Cloning Group:

  1. Sign out of the WebUI
  2. Sign in to the same WebUI using the cadmin account and password.

    (Alternatively, log in to the gateway command line using the cadmin credentials.)

    Important: No unique URL or IP address is needed to access the Cloning Group WebUI or clish command line. Use the URL or IP address of the member gateway.

  3. In System Management > Cloning Group, select features from the Shared Features.
  4. Click Set Shared Features.

    The shared features are propagated to all members of the group. If, for example, you then configure a primary DNS server on one member of the Cloning Group, and DNS is one of the Shared Features, then the DNS settings are propagated to all members of the group. The DNS settings in the WebUI of each member are grayed out.

To join a Cloning Group:

  1. Open the Gaia gateway WebUI.
  2. In System Management > Cloning Group, click Start Cloning Group Creation Wizard.

    The Cloning Group Wizard opens.

  3. Select Join an existing Cloning Group.
  4. The Join Existing Cloning Group window opens.
    • Enter the IP address of a remote member of the Cloning Group.
    • Select an IP address for synchronizing the settings between gateways. Select a secure internal address.
    • Enter the password of the Cloning Group administration account (cadmin). (The same password you entered when creating the group.) The cadmin password:
      • Lets you log in to the cadmin account
      • Is used to create authentication credentials for members during synchronization
  5. Click Next for the Wizard Summary and then click Finish.

To create a Cloning Group that follows ClusterXL:

Select this option if the gateway is a member of a ClusterXL.

Note: If you select this option, you have to select it for all the members of the cluster.

  1. Open the Gaia WebUI.
  2. In System Management > Cloning Group, click Start Cloning Group Creation Wizard.

    The Cloning Group Creation Wizard opens.

  3. Select Cloning Group follows ClusterXL.
    • Enter the Cloning Group name.
    • Enter a password for the Cloning Group administration account (cadmin).
  4. Click Next for the Wizard Summary and then click Finish.
  5. Repeat steps 1-4 for all members of the cluster.

Configuring Cloning Groups - CLI (Cloning Groups)

Cloning Groups can also be managed in clish command line interface. When run from the cadmin account, these commands apply to all members of the group.

You can create Cloning Groups in manual or in ClusterXL mode.

To create the first Cloning Group member in manual mode:

  1. Set the cloning group mode to manual
  2. Set the cloning group local-ip
  3. Set the cloning group password
  4. Set the cloning group state to: on
  5. Optional: set a name for the Cloning Group

To add other gateways to the Cloning Group in manual mode:

On each of those gateways:

  1. Set the cloning group mode to manual
  2. Set the cloning group local ip
  3. Set the cloning group password
  4. Run the join cloning group command to join the group

To create Cloning Group members in ClusterXL mode:

On all member gateways:

  1. Set the cloning group mode to ClusterXL
  2. Set the cloning group password
  3. Set the cloning group state to: on

To set up a Cloning Group:

Run this command: set cloning-group {local-ip <IPv4_address> | mode <manual|cluster-xl> | name <Cloning Group_name> | password | state <on|off>}

Parameter

Description

local-ip <IPv4 address>

The IPv4 address used to synchronize shared features between members of the Cloning Group.

mode <manual|cluster-xl>

The mode determines whether the Cloning Group is manually defined or through ClusterXL.

name <Cloning Group_name>

Name of the Cloning Group.

password

Password for the administrator's (cadmin) account, used to access the Cloning Group configuration in the CLI or WebUI.

When prompted, enter and confirm the password.

state on|off

Turns the Cloning Group feature on or off. If you select off, the gateway is removed from the Cloning Group.

To add Shared Features

Run this command: add cloning-group shared-feature <feature>

Parameter

Description

feature

The name of the feature to be synchronized between the members of the Cloning Group:

  • aggregate
  • bgp
  • bootp
  • cron
  • dns
  • hosts
  • igmp
  • inboundfilters
  • time
  • ntp
  • message
  • ospf
  • ospf3
  • password-controls
  • mailrelay
  • display-format
  • http
  • net-access
  • users-and-roles
  • arp
  • syslog
  • proxy
  • host-access
  • pbr
  • pim
  • redistribution
  • rip
  • routemap
  • routingoptions
  • static
  • static-mroute
  • snmp

 

To delete Shared Features

Run this command: delete cloning-group shared feature <feature>

Parameter

Description

feature

The name of the feature to be deleted from the list of shared features:

  • aggregate
  • bgp
  • bootp
  • cron
  • dns
  • hosts
  • igmp
  • inboundfilters
  • time
  • ntp
  • message
  • ospf
  • ospf3
  • password-controls
  • mailrelay
  • display-format
  • http
  • net-access
  • users-and-roles
  • arp
  • syslog
  • proxy
  • host-access
  • pbr
  • pim
  • redistribution
  • rip
  • routemap
  • routingoptions
  • static
  • static-mroute
  • snmp

 

To join a Cloning Group:

Run this command: join cloning-group remote-ip <IPv4_address>

Parameter

Description

IPv4_address

The IPv4 address of a member of the Cloning Group.

Note - This option is not available if you are logged into the cadmin account.

To remove a member from a Cloning Group:

On the member gateway, run this command: leave cloning-group

To view Cloning Group Attributes:

Run this command: show cloning-group {local-ip | members | mode | name | shared-feature | state | status}

Parameter

Description

local-ip

The IPv4 address used to synchronize shared features between the members of the Cloning Group.

members

Shows the members of the Cloning Group.

mode

Shows the Cloning Group mode: manual or ClusterXL

name

Shows the name of the Cloning Group

shared-feature

Lists the features that are used by all members of the Cloning Group.

state

Shows the Cloning Group state - enabled or disabled.

status

Shows the status of the Cloning Group member.

Note - This option is not available if you are logged into the cadmin account.

To re-synchronize a Cloning Group:

On a member gateway, run this command: re-synch cloning-group

SNMP

Simple Network Management Protocol (SNMP) is an Internet standard protocol. SNMP is used to send and receive management information to other network devices. SNMP sends messages, called protocol data units (PDUs), to different network parts. SNMP-compliant devices, called agents, keep data about themselves in Management Information Bases (MIBs) and resend this data to the SNMP requesters.

Through the SNMP protocol, network management applications can query a management agent using a supported MIB. The Check Point SNMP implementation lets an SNMP manager monitor the system and modify selected objects only. You can define and change one read‑only community string and one read‑write community string. You can set, add, and delete trap receivers and enable or disable various traps. You can also enter the location and contact strings for the system.

To view detailed information about each MIB that the Check Point implementation supports:

MIB

Location

Standard MIBs

/usr/share/snmp/mibs

Check Point MIBs

$CPDIR/lib/snmp

Check Point Gaia trap MIBs (GaiaTrapsMIB)

/etc/snmp

The Check Point implementation also supports the User‑based Security model (USM) portion of SNMPv3.

The Gaia implementation of SNMP is built on net-snmp 5.4.2.1. Changes have been made to the first version to address security and other fixes. For more information, see Net-SNMP.

Warning - If you use SNMP, it is recommended that you change the community strings for security purposes. If you do not use SNMP, disable SNMP or the community strings.

SNMP, as implemented on Check Point platforms enables an SNMP manager to monitor the device using GetRequest, GetNextRequest, GetBulkRequest, and a select number of traps. The Check Point implementation also supports using SetRequest to change these attributes: sysContact, sysLocation, and sysName. You must configure read-write permissions for set operations to work.

SNMP on Check Point platforms, supports SNMP v1, v2, and v3.

Use Gaia to run these tasks:

V3 - User-Based Security Model (USM)

Gaia supports the user-based security model (USM) component of SNMPv3 to supply message-level security. With USM (described in RFC 3414), access to the SNMP service is controlled on the basis of user identities. Each user has a name, an authentication pass phrase (used for identifying the user), and an optional privacy pass phrase (used for protection against disclosure of SNMP message payloads).

The system uses the MD5 hashing algorithm to supply authentication and integrity protection and DES to supply encryption (privacy). Best Practice - Use authentication and encryption. You can use them independently by specifying one or the other with your SNMP manager requests. The Gaia system responds accordingly.

SNMP users are maintained separately from system users. You can create SNMP user accounts with the same names as existing user accounts or different. You can create SNMP user accounts that have no corresponding system account. When you delete a system user account, you must separately delete the SNMP user account.

Enabling SNMP

The SNMP daemon is disabled by default. If you choose to use SNMP, enable and configure it according to your security requirements. At minimum, you must change the default community string to something other than public. It is also advised to select SNMPv3, rather than the default v1/v2/v3, if your management station supports it.

Note - If you do not plan to use SNMP to manage the network, disable it. Enabling SNMP opens potential attack vectors for surveillance activity. It lets an attacker learn about the configuration of the device and the network.

You can choose to use all versions of SNMP (v1, v2, and v3) on your system, or to grant SNMPv3 access only. If your management station supports v3, select to use only v3 on your Gaia system. SNMPv3 limits community access. Only requests from users with enabled SNMPv3 access are allowed, and all other requests are rejected.

SNMP Agent Address

An agent address is a specified IP address at which the SNMP agent listens and reacts to requests. The default behavior is for the SNMP agent to listen to and react to requests on all interfaces. If you specify one or more agent addresses, the system SNMP agent listens and responds only on those interfaces.

You can use the agent address as a different method to limit SNMP access. For example: you can limit SNMP access to one secure internal network that uses a specified interface. Configure that interface as the only agent address.

SNMP Traps

Managed devices use trap messages to report events to the network management station (NMS). When some types of events occur, the platform sends a trap to the management station.

The Gaia proprietary traps are defined in GaiaTrapsMIB.mib in the /etc/snmp directory.

Gaia supports these types of traps:

Type of Trap

Description

coldStart

Notifies when the SNMPv2 agent is re-initialized.

linkUpLinkDown

Notifies when one of the links changes state to up or down.

authorizationError

Notifies when an SNMP operation is not properly authenticated.

configurationChange

Notifies when a change to the system configuration is applied.

configurationSave

Notifies when a permanent change to the system configuration occurs.

lowDiskSpace

Notifies when space on the system disk is low.

This trap is sent if the disk space utilization in the / partition has reached 80 percent or more of its capacity.

powerSupplyFailure

Notifies when a power supply for the system fails.

This trap is supported only on platforms with two power supplies installed and running.

fanFailure

Notifies when a CPU or chassis fan fails.

overTemperature

Notifies when the temperature rises above the threshold.

highVoltage

Notify if one of the voltage sensors exceeds its maximum value.

lowVoltage

Notify if one of the voltage sensors falls below its minimum value.

raidVolumeState

Notify if the raid volume state is not optimal.

This trap works only if RAID is supported on the Gaia appliance or computer. To make sure that RAID monitoring is supported, run the command raid_diagnostic and confirm that it shows the RAID status.

Configuring SNMP - WebUI

To enable SNMP:

  1. In the tree view, click System Management > SNMP.
  2. Select Enable SNMP Agent.
  3. In Version drop down list, select the version of SNMP to run:
    • 1/v2/v3 (any)

      Select this option if your management station does not support SNMPv3.

    • v3-Only

      Select this option if your management station supports v3. SNMPv3 provides a higher level of security than v1 or v2.

  4. In SNMP Location String, enter a string that contains the location for the system. The maximum length for the string is 128 characters. That includes letters, numbers, spaces, special characters. For example: Bldg 1, Floor 3, WAN Lab, Fast Networks, Speedy, CA
  5. In SNMP Contact String, enter a string that contains the contact information for the device. The maximum length for the string is 128 characters. That includes letters, numbers, spaces, special characters. For example: John Doe, Network Administrator, (111) 222‑3333
  6. Click Apply.

To set an SNMP agent interface (Version R77.10 and higher):

  1. In the tree view, click System Management > SNMP.

    The SNMP Addresses table shows the applicable interfaces and their IP addresses.

  2. Select the header row checkbox to select all or select individual interfaces.

Note - If no agent addresses are specified, the SNMP protocol responds to requests from all interfaces.

To set an SNMP agent address (Version R77 and earlier):

  1. In the tree view, click System Management > SNMP.

    The SNMP Addresses table shows the applicable interfaces and their IPv4 addresses.

  2. Select the header row checkbox to select all or select individual IPv4 addresses.

Note - If no agent addresses are specified, the SNMP protocol responds to requests from all interfaces.

To configure the community strings:

  1. In the V1/V2 Settings section, in Read Only Community String, set a string other than public. This is a basic security precaution that you must always use.
  2. (Optional). Set a Read-Write Community String.

    Warning - Set a read-write community string only if you have reason to enable set operations, and if your network is secure.

To add a USM user:

  1. In the tree view, click System Management > SNMP.
  2. Below V3 - User-Based Security Model (USM), click Add. The Add New USM User window opens.
  3. In User Name, The range is 1 to 31 alphanumeric characters with no spaces, backslash, or colon characters. This can be the same as a user name for system access.
  4. In Security Level, select from the drop down list:
    • authPriv—The user has authentication and privacy pass phrases and can connect with privacy encryption.
    • authNoPriv—The user has only an authentication pass phrase and can connect only without privacy encryption.
  5. In User Permissions, select the privileges for the user:
    • Read-only
    • Read-write
  6. In Authentication Pass Phrase, enter a password for the user that is between 8 and 128 characters in length.
  7. In Privacy Pass Phrase, enter a pass phrase that is between 8 and 128 characters in length. Used for protection against disclosure of SNMP message payloads.
  8. Click Save. The new user shows in the table.

To delete a USM user

  1. In the tree view, click System Management > SNMP.
  2. Below V3 - User-Based Security Model (USM), select the user and click Remove. The Deleting USM User Entry window opens.
  3. The window shows this message: Are you sure you want to delete "username" entry? Click Yes.

To edit a USM user:

  1. In the tree view, click System Management > SNMP.
  2. Below V3 - User-Based Security Model (USM), select the user and click Edit. The Edit USM User window opens.
  3. In the window you can change the Security Level, User Permissions, the Authentication Passphrase, or the Privacy Passphrase.
  4. Click Save.

To enable or disable trap types:

  1. In the tree view, click System Management > SNMP.
  2. In the Enabled Traps section, click Set. The Add New Trap Receiver window opens.
    • To enable a trap: Select from the Disabled Traps list, and click Add>
    • To disable a trap: Select from the Enabled Traps list, and click Remove>
  3. Click Save.
  4. Add a USM user. You must do this even if using SNMPv1 or SNMPv2. In Trap User, select an SNMP user.
  5. In Polling Frequency, specify the number of seconds between polls.
  6. Click Apply.

To configure trap receivers (management stations):

  1. In the tree view, click System Management > SNMP.
  2. In the Trap Receivers Settings section, click Add. The Add New Trap Receiver window opens.
  3. In IPv4 Address, enter the IP address of a receiver.
  4. In Version, Select the Trap SNMP Version for the trap receiver from the drop down menu.
  5. In Community String, enter the community string for the specified receiver.
  6. Click Save.

To edit trap receivers:

  1. In the tree view, click System Management > SNMP.
  2. In the Trap Receivers Settings section, select the trap and click Edit. The Edit Trap Receiver window opens.
  3. You can change the Version or the community string.
  4. Click Save.

To delete trap receivers:

  1. In the tree view, click System Management > SNMP.
  2. In the Trap Receivers Settings section, select the trap and click Remove. The Deleting Trap Receiver Entry window opens.
  3. The window shows this message: Are you sure you want to delete "IPv4 address" entry? Click Yes.

Configuring SNMP - CLI (snmp)







Description



Use These commands to configure SNMP







Syntax



Enable SNMP


Set Commands:


set snmp agent VALUE


set snmp agent-version VALUE


set snmp location VALUE


set snmp contact VALUE


Show Commands:


show snmp agent


show snmp agent-version


show snmp location


show snmp contact


Delete Commands:


delete snmp location


delete snmp contact







 



SNMP Agent 


Add commands:


add snmp interface <IF_name> (for version R77.10 and higher)


add snmp address <IP_address> (for version R77 and earlier)


Set Commands:


set snmp community VALUE read-only


set snmp community VALUE read-write


Show Commands:


show snmp address


show snmp community


Delete Commands:


delete snmp address VALUE


delete snmp community VALUE







 



v3 USM User Settings


Add Commands:


add snmp usm user VALUE security-level authNoPriv


This opens an interactive dialog for you to enter a password.


ss-phrase
VALUE


 


Important - We do not recommend the following command because the passwords are stored as plain text in the  command history:


add snmp usm user VALUE security-level authPriv 
auth-pass-phrase VALUE privacy-pass-phrase VALUE


To export an authNoPriv snmp user to another Gaia system use:


add snmp usm user VALUE security-level authNoPriv 
auth-pass-phrase-hashed VALUE


Get the hashed password by running:


show configuration snmp


 


add snmp usm user VALUE security-level authPriv


This opens an interactive dialog for you to enter passwords.


 


To export an authPriv snmp user to another Gaia system use:


add snmp usm user VALUE security-level authPriv 
auth-pass-phrase hashed VALUE privacy-pass-phrase-hashed VALUE


Get the hashed password by running:


show configuration snmp


Set Commands:


set snmp usm user VALUE security-level authNoPriv 
auth-pass-phrase VALUE


 


set snmp usm user VALUE security-level authPriv 
auth-pass-phrase VALUE privacy-pass-phrase VALUE


 


set snmp usm user VALUE security-level authPriv 
privacy-pass-phrase VALUE auth-pass-phrase VALUE


 


set snmp usm user VALUE usm-read-only


 


set snmp usm user VALUE usm-read-write


 


Show Commands:


show snmp usm user VALUE


show snmp usm users


Delete Commands:


delete snmp usm user VALUE







 



SNMP Traps


Add Commands:


add snmp traps receiver VALUE version v1 community VALUE


add snmp traps receiver VALUE version v2 community VALUE


add snmp traps receiver VALUE version v3


Set Commands:


set snmp traps receiver VALUE version v1 community VALUE


set snmp traps polling-frequency VALUE


set snmp traps receiver VALUE version v2 community VALUE


set snmp traps receiver VALUE version v3


set snmp traps trap VALUE disable


set snmp traps trap VALUE enable


set snmp traps trap-user VALUE


Show Commands:


show snmp traps enabled-traps


show snmp traps polling-frequency


show snmp traps receivers


show snmp traps trap-user


Delete Commands:


delete snmp traps polling-frequency


delete snmp traps receiver VALUE


delete snmp traps trap-user


 








Parameters






Parameter 



Description







snmp agent



on or off to enable or disable.







snmp agent-version



any or v3-Only







location



In SNMP Location String, enter a string that contains the location for the system. The maximum length for the string is 128 characters. That includes letters, numbers, spaces, special characters. For example:  Bldg 1, Floor 3, WAN Lab, Fast Networks, Speedy, CA







contact



In SNMP Contact String, enter a string that contains the contact information for the device. The maximum length for the string is 128 characters. That includes letters, numbers, spaces, special characters. For example:  John Doe, Network Administrator, (111) 222‑3333 







snmp address



For version R77 and earlier: Interface IP address. If you do not select one at which the SNMP Agent listens and responds to requests, it responds to requests from all interfaces.







snmp interface



For version R77.10 and higher: Interface name. If you do not select one at which the SNMP Agent listens and responds to requests, it responds to requests from all interfaces.







community <c_name> read-only



For SNMP v1 and v2 only.


Enter a unique community name as a string value for read-only actions. The community name works like a password to identify and validate SNMP requests. 


The default community name is public. We recommend that you assign community names based on industry-standard password conventions.







community <c_name> read-write



For SNMP v1 and v2 only.


Enter a unique community name as a string value for read-write actions. The community name works like a password to identify and validate SNMP requests. 


The default community name is public. We recommend that you assign community names based on industry-standard password conventions.







usm user



The range is 1 to 31 alphanumeric characters with no spaces, backslash, or colon characters. This can be the same as a user name for system access.







authNoPriv



The user has only an authentication pass phrase and can connect only without privacy encryption. A user is always created with read-only privilege. This can be changed using the command 
set snmp usm user <name> <usm-read-only / usm-read-write>







authPriv



The user has authentication and privacy pass phrases and can connect with privacy encryption. A user is always created with read-only privilege. This can be changed using the command 
set snmp usm user <name> <usm-read-only / usm-read-write>







auth-pass-
phrase



A password for the user that is between 8 and 128 characters in length.







auth-pass-
phrase-hashed



A hashed password which is the output of the command
show configuration snmp







privacy-pass-
phrase



A pass phrase that is between 8 and 128 characters in length. Used for protection against disclosure of SNMP message payloads.







privacy-pass-
phrase-hashed



A hashed password which is the output of the command
show configuration snmp







usm users



All USM users







traps receiver



IP address selected to receive traps sent by the agent.







community



Set a string







traps trap



The trap name







polling-
frequency



The polling frequency in seconds. Default is 20 seconds.







trap-user



The user which generates the traps.














Example



show snmp traps enabled-traps







Output







authorizationError









 







Comments



  • CLI only displays the enabled traps. For all trap types, see table in Configuring SNMP - WebUIExample.
  • In auth-pass-phrase and privacy-pass-phrase, notice the different options for regular and hashed pass phrase: 
    auth-pass-phrase and auth-pass-phrase-hashed
    privacy-pass-phrase and privacy-pass-phrase-hashed
 










Interpreting Error Messages


This section lists and explains certain common error status values that can appear in SNMP messages. Within the PDU, the third field can include an error-status integer that refers to a specific problem. The integer zero (0) means that no errors were detected. When the error field is anything other than 0, the next field includes an error-index value that identifies the variable, or object, in the variable-bindings list that caused the error.


The following table lists the error status codes and their meanings.
















Error status code



Meaning



Error status code



Meaning







0



noError



10



wrongValue







1



tooBig



11



noCreation







2



NoSuchName



12



inconsistentValue







3



BadValue



13



resourceUnavailable







4



ReadOnly



14



commitFailed







5



genError



15



undoFailed







6



noAccess



16



authorizationError







7



wrongType



17



notWritable







8



wrongLength



18



inconsistentName







9



wrongEncoding



 



 










Note - You might not see the codes. The SNMP manager or utility interprets the codes and displays and logs the appropriate message.








The subsequent, or fourth field, contains the error index when the error-status field is nonzero, that is, when the error-status field returns a value other than zero, which indicates that an error occurred. The error-index value identifies the variable, or object, in the variable-bindings list that caused the error. The first variable in the list has index 1, the second has index 2, and so on.


The next, or fifth field, is the variable-bindings field. It consists of a sequence of pairs; the first is the identifier. The second element is one of these options: value, unSpecified, noSuchOjbect, noSuchInstance, or EndofMibView. The following table describes each element.






Variable-bindings element



Description







value



Value that is associated with each object instance; specified in a PDU request.







unSpecified



A NULL value is used in retrieval requests.







noSuchObject



Indicates that the agent does not implement the object referred to by this object identifier.







noSuchInstance



Indicates that this object does not exist for this operation.







endOfMIBView



Indicates an attempt to reference an object identifier that is beyond the end of the MIB at the agent.










GetRequest


The following table lists possible value field sets in the response PDU or error-status messages when performing a GetRequest.






Value Field Set



Description







noSuchObject



If a variable does not have an OBJECT IDENTIFIER prefix that exactly matches the prefix of any variable accessible by this request, its value field is set to noSuchObject.







noSuch
Instance



If the variable's name does not exactly match the name of a variable, its value field is set to noSuchInstance.







genErr



If the processing of a variable fails for any other reason, the responding entity returns genErr and a value in the error-index field that is the index of the problem object in the variable-bindings field.







tooBig



If the size of the message that encapsulates the generated response PDU exceeds a local limitation or the maximum message size of the request’s source party, then the response PDU is discarded and a new response PDU is constructed. The new response PDU has an error-status of tooBig, an error-index of zero, and an empty variable-bindings field.










GetNextRequest


The only values that can be returned as the second element in the variable-bindings field to a GetNextRequest when an error-status code occurs are unSpecified or endOfMibView.


GetBulkRequest


The GetBulkRequest minimizes the number of protocol exchanges and lets the SNMPv2 manager request that the response is large as possible.


The GetBulkRequest PDU has two fields that do not appear in the other PDUs: non-repeaters and max-repetitions. The non-repeaters field specifies the number of variables in the variable-bindings list for which a single-lexicographic successor is to be returned. The max-repetitions field specifies the number of lexicographic successors to be returned for the remaining variables in the variable-bindings list.


If at any point in the process, a lexicographic successor does not exist, the endofMibView value is returned with the name of the last lexicographic successor, or, if there were no successors, the name of the variable in the request.


If the processing of a variable name fails for any reason other than endofMibView, no values are returned. Instead, the responding entity returns a response PDU with an error-status of genErr and a value in the error-index field that is the index of the problem object in the variable-bindings field.


Job Scheduler


You can use WebUI to access cron and schedule regular jobs. You can configure the jobs to run at the dates and times that you specify, or at startup.


Configuring Job Scheduler - WebUI


To schedule jobs:


  1. In the tree view, click System Management > Job Scheduler.
  2. Click Add. The Add A New Scheduled Job window opens.
  3. In Job Name, enter the name of the job. Use alphanumeric characters only, and no spaces.
  4. In command to Run, enter the name of the command. The command must be a UNIX command.
  5. Below Schedule, select the frequency (Daily, Weekly, Monthly, At startup) for this job. Where relevant, enter the Time of day for the job, in the 24 hour clock format.
  6. Click OK. The job shows in the Scheduled Jobs table.
  7. In E-mail Notification, enter the email to receive the notifications.
    

    

    
    		

    Note - You must also configure a Mail Server. 
    
    		

    


    

  8. Click Apply.
To delete scheduled jobs


  1. In the tree view, click System Management > Job Scheduler.
  2. In the Scheduled Jobs table, select the job to delete.
  3. Click Delete. 
  4. Click OK to confirm, or Cancel to abort.
To edit the scheduled jobs:


  1. In the tree view, click System Management > Job Scheduler.
  2. In the scheduled Jobs table, select the job that you want to edit.
  3. Click Edit. The Edit Scheduled Job opens.
  4. Enter the changes.
  5. Click Ok.


Configuring Job Scheduler - CLI (cron)






Description



Use these commands to configure your system to schedule jobs. The jobs run on the dates and times you specify. 


You can define an email address to which the output of the scheduled job will be sent.







Syntax



To add scheduled jobs:


add cron job VALUE command VALUE recurrence daily time VALUE


add cron job VALUE command VALUE recurrence monthly month VALUE days VALUE time VALUE


add cron job VALUE command VALUE recurrence weekly days VALUE time VALUE


add cron job VALUE command VALUE recurrence system-startup


 


To delete scheduled jobs:


delete cron all


delete cron job VALUE


delete cron mailto


 


To change existing scheduled jobs:


set cron job VALUE command VALUE


set cron job VALUE recurrence daily time VALUE


set cron job VALUE recurrence monthly month VALUE days VALUE time VALUE


set cron job VALUE recurrence weekly days VALUE time VALUE


set cron job VALUE recurrence system-startup


set cron mailto VALUE


 


To monitor and troubleshoot the job scheduler configuration:


show cron job VALUE command


show cron job VALUE recurrence


show cron jobs


show cron mailto


 








Parameters













Parameter



Description







job



The name of the job.







command



The name of the command.







recurrence daily time



To specify a job for once a day, enter recurrence daily time, and the time of day, in the 24 hour clock format. For example: 14:00.







recurrence monthly month



To specify a job for once a month, enter recurrence monthly month, and the specific months. Each month by number, and separate by commas. For example: for January through March, enter 1,2,3







recurrence weekly days



To specify a job for once a week, enter recurrence weekly, and the day by number, when 0 is Sunday and 6 is Saturday.







recurrence system-startup



Specify a job that will run at every system startup.







days



When the recurrence is weekly: To specify the days, enter the day by number: 0 is Sunday and 6 is Saturday. 


When the recurrence is monthly: To specify the days, enter the day by number: 1 to 31. 


Separate several days with commas. For example: for Monday and Thursday enter 1,4







time



To specify the time, enter the time in the twenty four hour clock format. For example:  14:00.







mailto



To specify a mail recipient, enter the email address. One email address per command. You must also configure a mail server.







Comments



Only Show commands provide an output.










Mail Notification


Mail notifications (also known as Mail Relay) allow you to send email from the Security Gateway. You can send email interactively or from a script. The email is relayed to a mail hub that sends the email to the final recipient.


Mail notifications are used as an alerting mechanism when a Firewall rule is triggered. It is also used to email the results of cron jobs to the system administrator.


Gaia supports these mail notification features:


Gaia does not support these mail notification features:



Configuring Mail Notification - WebUI


To configure mail notifications recipient:


  1. In the tree view, click System Management > Mail Notification.
  2. In The Mail Server field, enter the server. For example: mail.example.com
  3. In the User Name field, enter the user name. For example: user@mail.example.com
  4. Click Apply.


Configuring Mail Notification - CLI (mail-notification)






Description



Use this group of commands to configure mail notifications.







Syntax



To configure the mail server and user that receive the mail notifications:


set mail-notification server VALUE


set mail-notification username VALUE


 


To view the mail server and user configurations:


show mail-notification server


show mail-notification username







Parameters







Parameter 



Description







server



The IP address or hostname of the mail server to receive mail notifications. For example:  mail.company.com







username



The username on the mail server that receives the admin or monitor mail notifications. For example:  user@mail.company.com









 







Example



show mail-notification server







Output







Mail notification server: mail.company.com









 










Messages


You can configure Gaia to show a Banner Message and a Message of the Day to users when they log in.






 



Banner Message



Message of the Day







Default Message



"This system is for authorized use only"



"You have logged into the system"







When shown in WebUI



Browser login page, before logging in



After logging in to the system







When shown in clish



When logging in, before entering the password



After logging in to the system







Default state



Enabled



Disabled










Configuring Messages - WebUI


To configure messages:


  1. In the tree view, click System Management > Messages.
  2. To enter a Banner message, select Banner message.
  3. To enter a Message of the day, select Message of the day.
  4. Enter the messages.
  5. Click Apply.


Configuring Messages - CLI (message)


Description


Set or show a banner message or a message of the day. 


Syntax and Examples


To define a new banner message or message of the day:


set message banner <on|off> msgvalue <banner>


set message motd <on|off> msgvalue <message>




Examples:


set message banner on msgvalue "This system is private and confidential"


set message motd on msgvalue "Hi all- no changes allowed today"


To enable or disable the banner message:


set message banner on


set message banner off


To enable or disable the message of the day:


set message motd on


set message motd off


To show the messages:


show message all


show message banner


show message motd


To show if the messages are enabled or disabled:


show message all status


show message banner status


show message motd status


To delete the messages:


The delete command deletes the user defined message, not the default message. To prevent a message being shown, turn off the message.


  1. Delete the configured message
    delete message banner
    delete message motd
    

    This deletes the configured messages, and replace them with the default messages. 
    

  2. Disable the default messages:
    set message banner off
    set message motd off
    

To make multi-line banner message or message of the day:


You can add a line to an existing message. If you delete the message, all lines are deleted, and replaced with the default message. To add a line to an existing message:


set message banner on line msgvalue <message> 


set message motd on line msgvalue <message> 


Examples:


set message banner on line msgvalue Welcome


set message motd on line msgvalue "System maintenance today"


Session


Manage inactivity timeout (in minutes) for the command line shell and for the WebUI.


Configuring the Session - WebUI


  1. In the tree view, click System Management > Session. 
  2. Configure the Inactivity Timeout for the Command Line Shell.
  3. Configure the Inactivity Timeout for the WebUI.


Configuring the Session - CLI (inactivity-timeout)






Description



Manage inactivity timeout (in minutes) for the command line shell.







Syntax



set inactivity-timeout VALUE


show inactivity-timeout







Parameters







Parameter 



Description







inactivity-timeout



The inactivity timeout (in minutes) for the command line.









 










Core Dumps


A Gaia core dump consists of the recorded status of the working memory of the Gaia computer at the time that a Gaia process terminated abnormally. 


When a process terminates abnormally, it produces a core file in the /var/log/dump/usermode directory. 


If the /log partition has less than 200 MB, no dumps are created, and all dumps are deleted to create space. This prevents core dumps filling the /log partition.


Configuring Core Dumps - WebUI


To configure core dumps, enable the feature and then configure parameters.


To configure core dumps:


  1. Open the System Management > Core Dumps page.
  2. Configure the Core Dump parameters.
  3. Click Apply.
Core Dump Parameters






Parameter



Description







Total space limit



The maximum amount of space that is used for core dumps. If space is required for a dump, the oldest dump is deleted. The per-process limit is enforced before the space limit.


  • Range: 0-99999 MB
  • Default: 1000 MB






Dumps per process



The maximum number of dumps that are stored for each process executable (program) file. A new dump overwrites the oldest dump. For example, if there are two programs "A" and "B", and the per-process limit is limit is 2. "A" terminates 1 time and "B" terminates 3 times. The dumps that remain are: 1 dump for program "A", and 2 dumps for program "B". Dump 3 for "B" is deleted because of the per-process limit. The per-process limit is enforced before the space limit.


  • Range:  0 - 99999 
  • Default:  2








Configuring Core Dumps -CLI (core-dump)






Description



Configure Gaia core dumps.







Syntax



To enable or disable core dumps:


set core-dump enable


set core-dump disable


 


To set the total space usage limit:


set core-dump total VALUE


 


To set the number of dumps per process:


set core-dump per_process VALUE


 


To show the total space usage limit:


show core-dump total


 


To show the number of dumps per process:


show core-dump per_process


 







Parameters







Parameter 



Description







total VALUE



The maximum amount of space that is used for core dumps. If space is required for a dump, the oldest dump is deleted. The per-process limit is enforced before the space limit.


  • Range: 0-99999 MB
  • Default: 1000 MB






per_process VALUE



The maximum number of dumps that are stored for each process executable (program) file. A new dump overwrites the oldest dump. For example, if there are two programs "A" and "B", and the per-process limit is limit is 2. "A" terminates 1 time and "B" terminates 3 times. The dumps that remain are: 1 dump for program "A", and 2 dumps for program "B". Dump 3 for "B" is deleted because of the per-process limit. The per-process limit is enforced before the space limit.


  • Range:  0 - 99999 
  • Default:  2








  •  








System Configuration


Before you can configure IPv6 addresses and IPv6 static routes on a Gaia Security Management Server or Security Gateway you must: 


  1. Enable IPv6 support for the Gaia operating system and Firewall.
  2. On the Security Management Server, install and enable an IPv6 license.
  3. Create IPv6 objects in SmartDashboard.
  4. Create IPv6 Firewall rules in SmartDashboard.


Configuring IPv6 Support - WebUI


  1. In the WebUI tree view, click System Management > System Configuration.
  2. In the IPv6 Support area, click On.
  3. Click Apply.



						










	03 January 2017
	
		© 2017 Check Point Software Technologies Ltd. All rights reserved.