Configuring SNMP Monitoring

Configure the SNMP monitoring thresholds in the command line of the Security Management Server. When you install the policy on the gateways the SNMP monitoring thresholds are applied globally to all gateways.

Configuring in Multi-Domain Security Management

In a Multi-Domain Security Management environment, you can configure thresholds on the Multi-Domain Server and on each individual Domain Management Server. Thresholds that you configure on the Multi-Domain Server are for the Multi-Domain Server only. Thresholds that you configure for a Domain Management Server are for that Domain Management Server and its gateways. If a threshold applies to the Multi-Domain Server and the Domain Management Server gateways, set it on the Multi-Domain Server and Domain Management Server. However, in this situation you might only get alerts from the Multi-Domain Server if the threshold is passed.

For example, because the Multi-Domain Server and Domain Management Server are on the same machine, if the CPU threshold is passed, it applies to both of them. However, only the Multi-Domain Server generates alerts.

You can see the Multi-Domain Security Management level for each threshold with the threshold_config utility.

• If the Multi-Domain Security Management level for a threshold is Multi-Domain Server, alerts are generated for the Multi-Domain Server when the threshold point is passed.
• If the Multi-Domain Security Management level for a threshold is Multi-Domain Server, Domain Management Server, alerts are generated for the Multi-Domain Server and Domain Management Servers separately when the threshold point is passed.

Configuring a Local Gateway Policy

You can configure SNMP thresholds locally on a gateway with the same procedure that you do on a Security Management Server. However, each time you install a policy on the gateway, the local settings are erased and it reverts to the global SNMP threshold settings.

You can use the threshold_config utility to save the configuration file and load it again later. Or you can manually back up the configuration file so that you can copy the configuration to the gateway again after you install the policy.

The configuration file that you can back up is: $FWDIR/conf/thresholds.conf

Configuration Procedures

There is one primary command to configure the thresholds in the command line, threshold_config. You must be in the Expert mode to run it. After you run threshold_config, follow the on-screen instructions to make selections and configure the global settings and each threshold.

When you run threshold_config, you get these options:

• Show policy name - Shows you the name configured for the threshold policy.
• Set policy name - Lets you set a name for the threshold policy.
• Save policy- Lets you save the policy.
• Save policy to file - Lets you export the policy to a file.
• Load policy from file - Lets you import a threshold policy from a file.
• Configure global alert settings - Lets you configure global settings for how frequently alerts are sent and how many alerts are sent.
• Configure alert destinations - Lets you configure a location or locations where the SNMP alerts are sent.
• View thresholds overview - Shows a list of all thresholds that you can set including: the category of the threshold, if it is active or disabled, the threshold point (if relevant), and a short description of what it monitors.
• Configure thresholds - Open the list of threshold categories to let you select thresholds to configure.

Configure Global Alert Settings

If you select Configure global alert settings, you can configure global settings for how frequently alerts are sent and how many alerts are sent. You can also configure these settings for each threshold. If a threshold does not have its own alert settings, it uses the global settings by default.

You can configure these options:

• Enter Alert Repetitions - How many alerts will be sent when an active alert is triggered. If you enter 0, alerts will be sent until the problem is fixed.
• Enter Alert Repetitions Delay - How long the system waits between sending active alerts.
• Enter Clear Alert Repetitions - How many clear alerts will be sent after a threshold returns to a normal value.
• Enter Clear Alert Repetitions Delay - How long the system waits between sending clear alerts.

Configure Alert Destinations

If you select Configure Alert Destinations, you can add and remove destinations for where the alerts are sent. You can also see a list of the configured destinations. A destination is usually an NMS (Network Management System) or a Check Point log server.

After entering the details for a destination, the CLI asks if the destination should apply to all thresholds.

• If you enter yes, alerts for all thresholds are sent to that destination, unless you remove the destination from an individual threshold.
• If you enter no, no alerts are sent to that destination by default. However, for each individual threshold, you can configure the destinations and you can add destinations that were not applied to all thresholds.

For each threshold, you can choose to which of the alert destinations its alerts are sent. If you do not define alert destination settings for a threshold, it sends alerts to all of the destinations that you applied to all thresholds.

For each alert destination enter:

• Name - An identifying name.
• IP - The IP address of the destination.
• Port - Through which port it is accessed
• Ver - The version on SNMP that it uses
• Other data- Some versions of SNMP require more data. Enter the data that is supplied for that SNMP version.

Configure Thresholds

If you select Configure thresholds, you see a list of the categories of thresholds, including:

• Hardware
• High Availability
• Networking
• Resources
• Log Server Connectivity

Some categories apply only to some machines or deployments. For example, Hardware applies only to Check Point appliances and High Availability applies only to clusters or high availability deployments.

Select a category to see the thresholds in it. Each threshold can have these options:

• Enable/Disable Threshold - If the threshold is enabled, the system sends alerts when there is a problem. If it is disabled it does not generate alerts.
• Set Severity - You can give each threshold a severity setting. The options are: Low, Medium, High, and Critical. The severity level shows in the alerts and in SmartView Monitor and lets you know quickly how important the alert is.
• Set Repetitions - Set how frequently and how many alerts will be sent when the threshold is passed. If you do not configure this, it uses the global alert settings.
• Set Threshold Point - Enter the value that will cause active alerts when it is passed. Enter the number only, without a unit of measurement.
• Configure Alert Destinations - See all of the configured alert destinations. By default, active alerts and clear alerts are sent to the destinations. You can change this for each destination. Select the destination and you see these options:
  • Remove from destinations - If you select this, alerts for this threshold are not sent to the selected destination.
  • Add a destination - If you configured a destination in the global alert destinations but did not apply it to all thresholds, you can add it to the threshold.
  • Disable clear alerts - If you select this, clear alerts for this threshold are not sent to the selected destination. Active alerts are sent.

Completing the Configuration

To complete threshold configuration and activate the settings:

• On the Security Management Server, install the policy on all Security Gateways.
• For a local Security Gateway threshold policy or a Multi-Domain Security Management Multi-Domain Server environment, restart the CPD process using the cpwd_admin utility:
  1. Run: cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
  2. Run: cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"

Monitoring SNMP Thresholds

You can see an overview of the SNMP thresholds that you configure in SmartView Monitor.

To see an overview of the SNMP thresholds:

1. Open SmartView Monitor and select a Security Gateway.
2. In the summary of the Security Gateway data that open in the bottom pane, click System Information.
3. In the new pane that opens, click Thresholds.
4. In the pane that opens, you can see these details:

• General Info - A summary of the total SNMP Threshold policy.
  • Policy name- The name that you set for the policy in the CLI.
  • State - If the policy is enabled or disabled.
  • Thresholds - How many thresholds are enabled.
  • Active events - How many thresholds are currently sending alerts.
  • Generated Events - How many thresholds went from not active to active since the policy was installed.
• Active Events- Details for the thresholds that are currently sending alerts.
  • Name - The name of the alert (given in the CLI)
  • Category - The category of the alert (given in the CLI), for example, Hardware or Resources.
  • MIB object - The name of the object as recorded in the MIB file.
  • MIB object value - The value of the object when the threshold became active, as recorded in the MIB file.
  • State - The current state of the object, either active or clearing (passed the threshold but is returning to normal value.
  • Severity - The severity of that threshold, as you configured for it in the CLI.
  • Activation time - When the alert was first sent.
• Alert Destinations - A list of the destinations that alerts are sent to.
  • Name - The name of the location.
  • Type - The type of location, for example, a log server or NMS.
  • State - If logs are being sent from the gateway or Security Management Server to the destination machine.
  • Alert Count - How many alerts were sent to the destination from when the policy was started.
• Errors - Shows thresholds that cannot be monitored. For example, the Security Gateway cannot monitor RAID sensors on a machine that does not have RAID sensors. Therefore it will show an error for the RAID Sensor Threshold.
  • Threshold Name - The name of the threshold with an error.
  • Error - A description of the error.
  • Time of Error - When the error first occurred.