SNMP Monitoring

For more about using SNMP, see:

R80.30 Gaia Administration Guide - Chapter System Management - Section SNMP
sk90860: How to configure SNMP on Gaia OS

Supported SNMP Versions

SNMP v1, v2c, and v3 are supported in all monitor modes.

Note - For SNMP queries of Virtual Devices using the VS0 IP address:

SNMP V1 and V2c
Query the Virtual Device using the VSID and the configured SNMP community.
SNMP V3
Query the virtual device using the VSID and SNMP v3 context mechanism.

Supported SNMP Modes

VSX supports these SNMP modes:

SNMP Default Mode
SNMP VS Mode
SNMP VS in vs-direct access mode

SNMP Default Mode

In SNMP default mode:

The SNMP daemon runs only in the context of VS0 (the VSX Gateway).
The VS0 SNMP daemon has a set of tables with counters (VSX SNMP tree) for each Virtual Device.
SNMP queries must be sent to IP address of the VSX Gateway (context is VS0).

Item	Description	Item	Description
1	SNMP Server that sends SNMP Requests to VSX Gateway	6	Virtual System 1 (ctx 1)
2	eth0	7	Virtual System in Bridge mode (ctx 2)
3	VSX Gateway	8	Virtual Router (ctx 3)
4	SNMP Daemon	9	Virtual Switch (ctx 4)
5	Virtual System 0

SNMP VS Mode

In SNMP VS mode:

Each Virtual Device has separate SNMP daemon running in the context of that Virtual Device.
Query for Virtual Devices uses the VS0 IP address.
You must run the SNMP query using the interface on the VSX Gateway.
- The query is relayed to the specified Virtual Device.
- The Virtual Device sends the response through the same VSX Gateway interface.
The VS ID must be specified in the SNMP query.

Note - Default mode query functionality is not decreased when you enable SNMP VS mode.

Item	Description	Item	Description
1	Query Host	4	VS 0
2	eth0	5	SNMP Daemon
3	VSX Gateway	6	UDS

SNMP VS in vs-direct-access mode

Enables SNMP queries on the IP address of a Virtual System (not only VS0), or Virtual Router.
Notes:
- For cluster deployments, you can query only Virtual IP addresses.
- Only Virtual Devices with an IP address can be queried, not Virtual Switches or Virtual Bridges.
SNMP VS in vs-direct-access mode is available only when SNMP VS mode is enabled.

Item	Description	Item	Description
1	Query Host	4	VS 0
2	eth0	5	SNMP Daemon
3	VSX Gateway	6	UDS

Configuring SNMP modes

Each Virtual System must meet these requirements:

SNMP USM user

To use SNMP V3 queries, an SNMP USM user must be defined. For more on USM user creation commands, see the R80.30 Gaia Administration Guide.
To use SNMP V3 queries on VSX, the USM user must be configured with the allowed Virtual Devices:
set snmp usm user <User_Name> vsid <VSID>
By default, a USM user in VSX has no allowed Virtual Devices.

Allowed interfaces

If you enable vs-direct-access mode, the Virtual System accepts SNMP queries on all the interfaces. To prevent SNMP queries for a specified interface, add a new rule to the policy that blocks SNMP traffic on that interface.

Query source

In vs mode and vs-direct-access mode, there is no specification for query source. All sources allowed in the Security Policy are valid.

Running SNMP Queries

When you query a Virtual System Load Sharing cluster with the VSX Cluster Member (VS 0) Virtual IP address, the Virtual System on the Active VSX Cluster Member (VS 0) replies to the query. An Active Virtual System on a Standby VSX Cluster Member will not reply to the query.

If you want to query the Active Virtual System on a Standby VSX Cluster Member, use the real IP address of the VSX Cluster Member.

SNMP Configuration

See the R80.30 Gaia Administration Guide and sk90860: How to configure SNMP on Gaia OS.

To Configure:	Run:
SNMP Default	`1. set snmp agent on` `2. set snmp mode default`
SNMP mode VS	`1. set snmp agent on` `2. set snmp mode vs`
SNMP direct-vs-access	`1. set snmp agent on` `2. set snmp mode vs` `3. set snmp vs-direct-access on`

To Configure:

Run:

SNMP Default

1. set snmp agent on

2. set snmp mode default

SNMP mode VS

1. set snmp agent on

2. set snmp mode vs

SNMP direct-vs-access

1. set snmp agent on

2. set snmp mode vs

3. set snmp vs-direct-access on

Example SNMP queries for Virtual Systems

This section shows example SNMP queries.

To run an SNMP V3 query using the VSX (VS 0) IP address

In Clish

Enable the SNMP agent for context VS 0
Run:

set snmp agent on
Add an SNMP user with permissions for VSs 2,15.
Run:

add snmp usm user admin security-level authNoPriv auth-pass-phrase abcd1234

set snmp usm user admin vsid 2,15
Set SNMP VS mode.
Run:

set snmp mode vs
Send the remote queries, where:
- vsidN is the SNMP context name required by SNMP v3.
- The IP address is the management IP address of the VSX Gateway or VSX Cluster.
For example (in Expert mode):

snmpwalk -n vsid2 -v 3 -l authNoPriv -u admin -A abcd1234 192.0.2.5 ifDesc

snmpwalk -n vsid15 -v 3 -l authNoPriv -u admin -A abcd1234 192.0.2.5 sysName

192.0.2.5 is the IP address of the Management Server.

To run an SNMP V1/V2c query using the VSX (VS 0) IP Address

In Clish:

Enable the SNMP agent for context VS 0:
Run: set snmp agent on
Enable SNMP V1/V2C
Run: set snmp agent-version any
Set the SNMP community:
set snmp community public read-only

set snmp community private read-write
Set the SNMP mode to VS:
set snmp mode vs
Send remote queries, where:
- The community has the VSID or Virtual System name as a suffix.
- The IP address is the Management IP address of the VSX Gateway or VSX Cluster.
For example, to query a Virtual System with the name “MY_VS” or has VSID “2”, run

in expert mode:

snmpwalk -v 1 -c public_2 192.0.2.5 ifDescr

snmpwalk -v 1 -c private_MY_VS 192.0.2.5 ifDescr

Communities with suffixes are created automatically. Community name collisions might occur in special cases, for example if we use these communities:

Read-only community = private
Read-write community = private_1

The communities' private_1, and private_1_1 will be automatically created for VSID 1. Private_1 is not a unique community. The community is ambiguous and using it will result unexpected behavior.

To run an SNMP query using the Virtual Device's IP address

Enable the SNMP agent for context VS0:
set snmp agent on
Add an SNMP user:
add snmp usm user admin security-level authNoPriv auth-pass-phrase abcd1234
Specify USM user permissions for Virtual Devices:
set snmp usm user admin vsid 0-10
Set the SNMP community:
set snmp community public read-only

set snmp community private read-write
Set SNMP VS mode:
set snmp mode vs
Enable SNMP queries over Virtual Device's interfaces:
set snmp vs-direct-access on
Send remote queries, where the IP address is the Virtual IP address of the Virtual Device.
In expert mode, run:

snmpwalk -v 1 -c public 192.0.2.81 ifDescr

snmpwalk -v 2c -c public 192.0.2.81 ifDescr

snmpwalk -v 1 -c private 192.0.2.82 ifDescr

snmpwalk -v 2c -c private 192.0.2.82 ifDescr

snmpwalk -v 3 -l authNoPriv -u admin -A abcd1234 192.0.2.83 ifDescr

Note -

The SNMP community used in the queries is the same community that you configured earlier.
Only the active Virtual Device is queried.

Important - SNMP traps are available only for VS 0

The VSX SNMP Tree

To get information from a Virtual Device (Virtual System, Virtual Switch, or Virtual Router), you must load the Check Point MIB file into your SNMP Browser.

The MIB file is on the VSX Gateway (context VS0) at: $CPDIR/lib/snmp/chkpnt.mib
The VSX OID is: .1.3.6.1.4.1.2620.1.16

Example commands in Expert mode:

To run an SNMP V2c query for VSX status table, run:
snmpwalk –m $CPDIR/lib/snmp/chkpnt.mib -c public -v 2c 192.0.2.83 vsxStatusTable
To run an SNMP V3 query for the VSX memory usage table, run:
snmpwalk –m $CPDIR/lib/snmp/chkpnt.mib -v 3 -l authNoPriv -u admin -A abcd1234 192.0.2.83 vsxStatusMemoryUsageTable

The vsxCountersTable refresh time:

The vsxCountersTable refresh time is configured in this file:

$FWDIR/conf/amon_vsx_refresh_interval

The default value is 30 (seconds).