SNMP Monitoring

For more about using SNMP, see:

• R80.20SP Quantum Maestro Gaia Administration Guide > Chapter System Management > Section SNMP

• sk90860: How to configure SNMP on Gaia OS

Supported SNMP Versions

SNMP v1, v2c, and v3 are supported in all monitor modes.

Note - For SNMP queries of Virtual Devices using the VS0 IP address:

• SNMP V1 and V2c

  Query the Virtual Device Logical object that emulates the functionality of a type of physical network object. Virtual Device can be on of these: Virtual Router, Virtual System, or Virtual Switch. using the VSID and the configured SNMP community.

• SNMP V3

  Query the virtual device using the VSID and SNMP v3 context mechanism.

Supported SNMP Modes

VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. supports these SNMP modes:

• SNMP Default Mode

• SNMP VS Mode

• SNMP VS in vs-direct access mode

SNMP Default Mode

In SNMP default mode:

• The SNMP daemon runs only in the context of VS0 (the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0.).

• The VS0 SNMP daemon has a set of tables with counters (VSX SNMP tree) for each Virtual Device.

• SNMP queries must be sent to IP address of the VSX Gateway (context is VS0).

Item	Description		Item	Description
1	SNMP Server that sends SNMP Requests to VSX Gateway		6	Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS. 1 (ctx 1)
2	eth0		7	Virtual System in Bridge mode Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology. (ctx 2)
3	VSX Gateway		8	Virtual Router Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical router. Acronym: VR. (ctx 3)
4	SNMP Daemon		9	Virtual Switch Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical switch. Acronym: VSW. (ctx 4)
5	Virtual System 0

SNMP VS Mode

In SNMP VS mode:

• Each Virtual Device has separate SNMP daemon running in the context of that Virtual Device.

• Query for Virtual Devices uses the VS0 IP address.

• You must run the SNMP query using the interface on the VSX Gateway.

  • The query is relayed to the specified Virtual Device.

  • The Virtual Device sends the response through the same VSX Gateway interface.

• The VS ID must be specified in the SNMP query.

Note - Default mode query functionality is not decreased when you enable SNMP VS mode.

Item	Description		Item	Description
1	Query Host		4	VS 0
2	eth0		5	SNMP Daemon
3	VSX Gateway		6	UDS

SNMP VS in vs-direct-access mode

• Enables SNMP queries on the IP address of a Virtual System (not only VS0), or Virtual Router.

  Notes:

  • For cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. deployments, you can query only Virtual IP addresses.

  • Only Virtual Devices with an IP address can be queried, not Virtual Switches or Virtual Bridges.

• SNMP VS in vs-direct-access mode is available only when SNMP VS mode is enabled.

Item	Description		Item	Description
1	Query Host		4	VS 0
2	eth0		5	SNMP Daemon
3	VSX Gateway		6	UDS

Configuring SNMP modes

Each Virtual System must meet these requirements:

SNMP USM user

• To use SNMP V3 queries, an SNMP USM user must be defined. For more on USM user creation commands, see the R80.20SP Quantum Maestro Gaia Administration Guide.

• To use SNMP V3 queries on VSX, the USM user must be configured with the allowed Virtual-Devices:

  set snmp usm user <user_name> vsid <VSID>

• By default, a USM user in VSX has no allowed Virtual-Devices.

Allowed interfaces

If you enable vs-direct-access mode, the Virtual System accepts SNMP queries on all the interfaces. To prevent SNMP queries for a specified interface, add a new rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. to the policy that blocks SNMP traffic on that interface.

Query source

In vs mode and vs-direct-access mode, there is no specification for query source. All sources allowed in the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. are valid.

Running SNMP Queries

When you query a Virtual System Load Sharing VSX Cluster technology that assigns Virtual System traffic to different Active Cluster Members. Acronym: VSLS. cluster with the VSX Gateway (VS 0) Virtual IP address, the Virtual System on the Active VSX Gateway (VS 0) replies to the query. An Active Virtual System on a Standby VSX Gateway will not reply to the query.

If it is necessary to query the Active Virtual System on a Standby VSX Gateway, use the real IP address of the VSX cluster member Security Gateway that is part of a cluster..

SNMP Configurations

See the R80.20SP Quantum Maestro Gaia Administration Guide and sk90860 How to configure SNMP on Gaia OS.

To Configure:	Run:
SNMP Default	1. set snmp agent on 2. set snmp mode default
SNMP mode VS	1. set snmp agent on 2. set snmp mode vs
SNMP direct-vs-access	1. set snmp agent on 2. set snmp mode vs 3. set snmp vs-direct-access on

Example SNMP queries for Virtual Systems

This section shows example SNMP queries.

To run an SNMP V3 query using the VSX (VS 0) IP address

In Clish

1. Enable the SNMP agent for context VS

   Run:

   set snmp agent on

2. Add an SNMP user with permissions for VSs 2,15.

   Run:

   add snmp usm user admin security-level authNoPriv auth-pass-phrase abcd1234

   set snmp usm user admin vsid 2,15

3. Set SNMP VS mode.

   Run:

   set snmp mode vs

4. Send the remote queries, where:

   • vsidN is the SNMP context name required by SNMP v3.

   • The IP address is the management IP address of the VSX Gateway or VSX Cluster.

   For example (in Expert mode):

   snmpwalk -n vsid2 -v 3 -l authNoPriv -u admin -A abcd1234 192.0.2.5 ifDesc

   snmpwalk -n vsid15 -v 3 -l authNoPriv -u admin -A abcd1234 192.0.2.5 sysName

   192.0.2.5 is the IP address of the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

To run an SNMP V1/V2c query using the VSX (VS 0) IP Address

In Clish:

1. Enable the SNMP agent for context VS 0:

   Run: set snmp agent on

2. Enable SNMP V1/V2

   Run: set snmp agent-version any

3. Set the SNMP community:

   set snmp community public read-only

   set snmp community private read-write

4. Set the SNMP mode to VS:

   set snmp mode vs

5. Send remote queries, where:

   • The community has the VSID or Virtual System name as a suffix.

   • The IP address is the Management IP address of the VSX Gateway or VSX Cluster.

   For example, to query a Virtual System with the name "MY_VS" or has VSID "2", run

   in expert mode:

   snmpwalk -v 1 -c public_2 192.0.2.5 ifDescr

   snmpwalk -v 1 -c private_MY_VS 192.0.2.5 ifDescr

Communities with suffixes are created automatically. Community name collisions might occur in special cases, for example if we use these communities:

• Read-only community = private

• Read-write community = private_1

The communities' private_1, and private_1_1 will be automatically created for VSID 1. Private_1 is not a unique community. The community is ambiguous and using it will result unexpected behavior.

To run an SNMP query using the Virtual Device's IP address

1. Enable the SNMP agent for context VS0:

   set snmp agent on

2. Add an SNMP user:

   add snmp usm user admin security-level authNoPriv auth-pass-phrase abcd1234

3. Specify USM user permissions for Virtual Devices:

   set snmp usm user admin vsid 0-10

4. Set the SNMP community:

   set snmp community public read-only

   set snmp community private read-write

5. Set SNMP VS mode:

   set snmp mode vs

6. Enable SNMP queries over Virtual Device's interfaces:

   set snmp vs-direct-access on

7. Send remote queries, where the IP address is the Virtual IP address of the Virtual Device.

   In expert mode, run:

   snmpwalk -v 1 -c public 192.0.2.81 ifDescr

   snmpwalk -v 2c -c public 192.0.2.81 ifDescr

   snmpwalk -v 1 -c private 192.0.2.82 ifDescr

   snmpwalk -v 2c -c private 192.0.2.82 ifDescr

   snmpwalk -v 3 -l authNoPriv -u admin -A abcd1234 192.0.2.83 ifDescr

Note -

• The SNMP community used in the queries is the same community that you configured earlier.

• Only the active Virtual Device is queried.

Important - SNMP traps are available only for VS 0

The VSX SNMP Tree

To get information from a Virtual Device (Virtual System, Virtual Switch, or Virtual Router), you must load the Check Point MIB file into your SNMP Browser.

• The MIB file is on the VSX Gateway (context VS0) at: $CPDIR/lib/snmp/chkpnt.mib

• The VSX OID is: .1.3.6.1.4.1.2620.1.16

Example commands in Expert mode:

• To run an SNMP V2c query for VSX status table, run:

  snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -c public -v 2c 192.0.2.83 vsxStatusTable

• To run an SNMP V3 query for the VSX memory usage table, run:

  snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -v 3 -l authNoPriv -u admin -A abcd1234 192.0.2.83 vsxStatusMemoryUsageTable

The vsxCountersTable refresh time:

The vsxCountersTable refresh time is configured in this file:

$FWDIR/conf/amon_vsx_refresh_interval

The default value is 30 (seconds).