Print Download PDF Send Feedback

Previous

Next

SNMP

Simple Network Management Protocol (SNMP) is an Internet standard protocol. SNMP is used to send and receive management information to other network devices. SNMP sends messages, called protocol data units (PDUs), to different network parts. SNMP-compliant devices, called agents, keep data about themselves in Management Information Bases (MIBs) and resend this data to the SNMP requesters.

Through the SNMP protocol, network management applications can query a management agent using a supported MIB. The Check Point SNMP implementation lets an SNMP manager monitor the system and modify selected objects only. You can define and change one read‑only community string and one read‑write community string. You can set, add, and delete trap receivers and enable or disable various traps. You can also enter the location and contact strings for the system.

To view detailed information about each MIB that the Check Point implementation supports (also, see sk90470):

MIB

Location

Standard MIBs

/usr/share/snmp/mibs/*.txt

Check Point MIBs

$CPDIR/lib/snmp/chkpnt.mib

$CPDIR/lib/snmp/chkpnt-trap.mib

Check Point Gaia trap MIB

/etc/snmp/GaiaTrapsMIB.mib

Notes:

Warning - If you use SNMP, we recommend that you change the community strings for security purposes. If you do not use SNMP, disable SNMP or the community strings.

SNMP, as implemented on Check Point platforms enables an SNMP manager to monitor the device using GetRequest, GetNextRequest, GetBulkRequest, and a select number of traps. The Check Point implementation also supports using SetRequest to change these attributes: sysContact, sysLocation, and sysName. You must configure read-write permissions for set operations to work.

SNMP on Check Point platforms, supports SNMP v1, v2, and v3.

Use Gaia to run these tasks:

V3 - User-Based Security Model (USM)

Gaia supports the user-based security model (USM) component of SNMPv3 to supply message-level security. With USM (described in RFC 3414), access to the SNMP service is controlled based on user identities. Each user has a name, an authentication pass phrase (used for identifying the user), and an optional privacy pass phrase (used for protection against disclosure of SNMP message payloads).

The system uses the MD5 hashing algorithm to supply authentication and integrity protection and DES to supply encryption (privacy). Best Practice - Use authentication and encryption. You can use them independently by specifying one or the other with your SNMP manager requests. The Gaia system responds accordingly.

SNMP users are maintained separately from system users. You can create SNMP user accounts with the same names as existing user accounts or different. You can create SNMP user accounts that have no corresponding system account. When you delete a system user account, you must separately delete the SNMP user account.

Enabling SNMP

The SNMP daemon is disabled by default. If you choose to use SNMP, enable and configure it according to your security requirements. At minimum, you must change the default community string to something other than public. It is also advised to select SNMPv3, rather than the default v1/v2/v3, if your management station supports it.

Note - If you do not plan to use SNMP to manage the network, disable it. Enabling SNMP opens potential attack vectors for surveillance activity. It lets an attacker learn about the configuration of the device and the network.

You can choose to use all versions of SNMP (v1, v2, and v3) on your system, or to grant SNMPv3 access only. If your management station supports v3, select to use only v3 on your Gaia system. SNMPv3 limits community access. Only requests from users with enabled SNMPv3 access are allowed, and all other requests are rejected.

SNMP Agent Address

An agent address is a specified IP address, on which the SNMP agent listens and reacts to requests. The default behavior is for the SNMP agent to listen to and react to requests on all interfaces. If you specify one or more agent addresses, the system SNMP agent listens and responds only on those interfaces.

You can use the agent address as a different method to limit SNMP access. For example: you can limit SNMP access to one secure internal network that uses a specified interface. Configure that interface as the only agent address.

SNMP Traps

Managed devices use trap messages to report events to the Network Management Station (NMS). When some types of events occur, the platform sends a trap to the management station.

The Gaia proprietary traps are defined in the /etc/snmp/GaiaTrapsMIB.mib file.

Gaia supports these types of SNMP traps:

Type of Trap

Description

coldStart

Notifies when the SNMPv2 agent is re-initialized.

linkUpLinkDown

Notifies when one of the links changes state to up or down.

authorizationError

Notifies when an SNMP operation is not properly authenticated.

configurationChange

Notifies when a change to the system configuration is applied.

configurationSave

Notifies when a permanent change to the system configuration occurs.

lowDiskSpace

Notifies when space on the system disk is low.

This trap is sent if the disk space utilization in the / partition has reached 80 percent or more of its capacity.

powerSupplyFailure

Notifies when a power supply for the system fails.

This trap is supported only on platforms with two power supplies installed and running.

fanFailure

Notifies when a CPU or chassis fan fails.

overTemperature

Notifies when the temperature rises above the threshold.

highVoltage

Notify if one of the voltage sensors exceeds its maximum value.

lowVoltage

Notify if one of the voltage sensors falls below its minimum value.

raidVolumeState

Notify if the raid volume state is not optimal.

This trap works only if RAID is supported on the Gaia appliance or computer. To make sure that RAID monitoring is supported, run the command raid_diagnostic and confirm that it shows the RAID status.

biosFailure

Notify when the Primary BIOS failure is detected. Sent once the event occurs.

vrrpv2AuthFailure

Notify when the VRRP member has packet Authentication failure - VRRPv2 (IPv4) and VRRPv3 (IPv6). Sent each polling interval.

vrrpv2NewMaster

Notify when the VRRP member has transitioned to Master state - VRRPv2 (IPv4). Sent each polling interval.

vrrpv3NewMaster

Notify when the VRRP member has transitioned to Master state - VRRPv3 (IPv6). Sent each polling interval.

vrrpv3ProtoError

Notify when the VRRP member has Protocol error - VRRPv2 (IPv4) and VRRPv3 (IPv6). Sent each polling interval.