SNMP

Introduction

Simple Network Management Protocol (SNMP) is an Internet standard protocol. SNMP is used to send and receive management information to other network devices. SNMP sends messages, called protocol data units (PDUs), to different network parts. SNMP-compliant devices, called agents, keep data about themselves in Management Information Bases (MIBs) and resend this data to the SNMP requesters.

Through the SNMP protocol, network management applications can query a management agent using a supported MIB. The Check Point SNMP implementation lets an SNMP manager monitor the system and modify selected objects only. You can define and change one read‑only community string and one read‑write community string. You can set, add, and delete trap receivers and enable or disable various traps. You can also enter the location and contact strings for the system.

Notes:

  • The Check Point implementation also supports the User‑based Security model (USM) portion of SNMPv3.

  • The GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. implementation of SNMP is built on NET-SNMP.

    Changes were made to the first version to address security and other fixes.

    For more information, see Net-SNMP.

  • Security Groups support only this SNMP OID branch:

    OID 1.3.6.1.4.1.2620.1.48

    iso.org.dod.internet.private.enterprise.checkpoint.products.asg

    To see VPN status, you can use the tunnelTable branch (OID 1.3.6.1.4.1.2620.500.9002.1).

  • Security Groups support only this SNMP trap:

    OID 1.3.6.1.4.1.2620.1.2001

    iso.org.dod.internet.private.enterprise.checkpoint.products.asgTrap

Warning - If you use SNMP, we recommend that you change the community strings for security purposes. If you do not use SNMP, disable SNMP or the community strings.

SNMP, as implemented on Check Point platforms, enables an SNMP manager to monitor the device using GetRequest, GetNextRequest, GetBulkRequest, and a select number of traps.

The Check Point implementation also supports using SetRequest to change these attributes: sysContact, sysLocation, and sysName. You must configure read-write permissions for set operations to work.

Check Point Gaia supports SNMP v1, v2, and v3.

Use Gaia to run these tasks:

  • Define and change one read-only community string.

  • Define and change one read-write community string.

  • Enable and disable the SNMP daemon.

  • Create SNMP users.

  • Change SNMP user accounts.

  • Add or delete trap receivers.

  • Enable or disable the various traps.

  • Enter the location and contact strings for the device.

SNMP v3 - User-Based Security Model (USM)

Gaia supports the user-based security model (USM) component of SNMPv3 to supply message-level security. With USM (described in RFC 3414), access to the SNMP service is controlled based on user identities. Each user has a name, an authentication pass phrase (used for identifying the user), and an optional privacy pass phrase (used for protection against disclosure of SNMP message payloads).

The system uses the MD5 hashing algorithm to supply authentication and integrity protection and DES to supply encryption (privacy).

Best Practice - Use authentication and encryption. You can use them independently by specifying one or the other with your SNMP manager requests. The Gaia responds accordingly.

SNMP users are maintained separately from system users. You can create SNMP user accounts with the same names as existing user accounts or different. You can create SNMP user accounts that have no corresponding system account. When you delete a system user account, you must separately delete the SNMP user account.

Enabling SNMP

The SNMP daemon is disabled by default on Security Groups.

If you choose to use SNMP, enable and configure it according to your security requirements.

At minimum, you must change the default community string to something other than public.

You can choose to use all versions of SNMP (v1, v2, and v3) on your system, or to grant SNMPv3 access only.

Best Practice - If your SNMP management station supports SNMP v3, select only SNMP v3 on Gaia. SNMPv3 limits community access. Only requests from users with enabled SNMPv3 access are allowed, and all other requests are rejected.

Note - If you do not plan to use SNMP to manage the network, disable it. Enabling SNMP opens potential attack vectors for surveillance activity. It lets an attacker learn about the configuration of the device and the network.

SNMP Agent Address

An SNMP Agent address is a specified IP address, on which the SNMP agent listens and reacts to requests.

The default behavior is for the SNMP agent to listen to and react to requests on all interfaces. If you specify one or more agent addresses, the system SNMP agent listens and responds only on those interfaces.

You can use the agent address as a different method to limit SNMP access. For example: you can limit SNMP access to one secure internal network that uses a specified interface. Configure that interface as the only agent address.

SNMP Traps