SNMP

Introduction

Simple Network Management Protocol (SNMP) is an Internet standard protocol. SNMP is used to send and receive management information to other network devices. SNMP sends messages, called protocol data units (PDUs), to different network parts. SNMP-compliant devices, called agents, keep data about themselves in Management Information Bases (MIBs) and resend this data to the SNMP requesters.

Through the SNMP protocol, network management applications can query a management agent using a supported MIB. The Check Point SNMP implementation lets an SNMP manager monitor the system and modify selected objects only. You can define and change one read‑only community string and one read‑write community string. You can set, add, and delete trap receivers and enable or disable various traps. You can also enter the location and contact strings for the system.

Check Point Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. supports SNMP v1, v2, and v3.

To view detailed information about each MIB that the Check Point implementation supports (also, see sk90470):

MIB	Location
Standard MIBs	`/usr/share/snmp/mibs/*.txt`
Check Point MIBs	`$CPDIR/lib/snmp/chkpnt.mib` `$CPDIR/lib/snmp/chkpnt-trap.mib`
Check Point Gaia trap MIB	`/etc/snmp/GaiaTrapsMIB.mib`

MIB

Location

Standard MIBs

/usr/share/snmp/mibs/*.txt

Check Point MIBs

$CPDIR/lib/snmp/chkpnt.mib

$CPDIR/lib/snmp/chkpnt-trap.mib

Check Point Gaia trap MIB

/etc/snmp/GaiaTrapsMIB.mib

Notes:

The Check Point implementation also supports the User‑based Security model (USM) portion of SNMPv3.
The Gaia implementation of SNMP is built on NET-SNMP. Changes were made to the first version to address security and other fixes. For more information, see Net-SNMP.

Warning - If you use SNMP, we recommend that you change the community strings for security purposes. If you do not use SNMP, disable SNMP or the community strings.

SNMP, as implemented on Check Point platforms, enables an SNMP manager to monitor the device using GetRequest, GetNextRequest, GetBulkRequest, and a select number of traps.

The Check Point implementation also supports using SetRequest to change these attributes: sysContact, sysLocation, and sysName. You must configure read-write permissions for set operations to work.

Use Gaia to run these tasks:

Define and change one read-only community string.
Define and change one read-write community string.
Enable and disable the SNMP daemon.
Create SNMP users.
Change SNMP user accounts.
Add or delete trap receivers.
Enable or disable the various traps.
Enter the location and contact strings for the device.

SNMP v3 - User-Based Security Model (USM)

Gaia supports the user-based security model (USM) component of SNMPv3 to supply message-level security. With USM (described in RFC 3414), access to the SNMP service is controlled based on user identities. Each user has a name, an authentication pass phrase (used for identifying the user), and an optional privacy pass phrase (used for protection against disclosure of SNMP message payloads).

The system uses the MD5 hashing algorithm to supply authentication and integrity protection and DES to supply encryption (privacy).

Best Practice - Use authentication and encryption. You can use them independently by specifying one or the other with your SNMP manager requests. The Gaia responds accordingly.

SNMP users are maintained separately from system users. You can create SNMP user accounts with the same names as existing user accounts or different. You can create SNMP user accounts that have no corresponding system account. When you delete a system user account, you must separately delete the SNMP user account.

Enabling SNMP

The SNMP daemon is disabled by default.

If you choose to use SNMP, enable and configure it according to your security requirements.

At minimum, you must change the default community string to something other than public.

You can choose to use all versions of SNMP (v1, v2, and v3) on your system, or to grant SNMPv3 access only.

Best Practice - If your SNMP management station supports SNMP v3, select only SNMP v3 on Gaia. SNMPv3 limits community access. Only requests from users with enabled SNMPv3 access are allowed, and all other requests are rejected.

Note - If you do not plan to use SNMP to manage the network, disable it. Enabling SNMP opens potential attack vectors for surveillance activity. It lets an attacker learn about the configuration of the device and the network.

SNMP Agent Address

An SNMP Agent address is a specified IP address, on which the SNMP agent listens and reacts to requests.

The default behavior is for the SNMP agent to listen to and react to requests on all interfaces. If you specify one or more agent addresses, the system SNMP agent listens and responds only on those interfaces.

You can use the agent address as a different method to limit SNMP access. For example: you can limit SNMP access to one secure internal network that uses a specified interface. Configure that interface as the only agent address.

SNMP Traps

Managed devices use trap messages to report events to the Network Management Station (NMS).

When some types of events occur, the platform sends a trap to the management station.

The Gaia proprietary traps are defined in the /etc/snmp/GaiaTrapsMIB.mib file.

Gaia supports these types of SNMP traps:

Table: SNMP Traps in Gaia
Type of Trap	Description
`coldStart`	Notifies when the SNMPv2 agent is re-initialized.
`linkUpLinkDown`	Notifies when one of the links changes state to up or down.
`authorizationError`	Notifies when an SNMP operation is not properly authenticated.
`configurationChange`	Notifies when a change to the system configuration is applied.
`configurationSave`	Notifies when a permanent change to the system configuration occurs.
`lowDiskSpace`	Notifies when space on the system disk is low. Sent if the disk space utilization in the `/` partition has reached 80 percent or more of its capacity.
`powerSupplyFailure`	Notifies when a power supply for the system fails. This trap is supported only on platforms with two power supplies installed and running.
`fanFailure`	Notifies when a CPU or chassis fan fails.
`overTemperature`	Notifies when the temperature rises above the threshold.
`highVoltage`	Notifies if one of the voltage sensors exceeds its maximum value.
`lowVoltage`	Notifies if one of the voltage sensors falls below its minimum value.
`raidVolumeState`	Notifies if the raid volume state is not optimal. This trap works only if RAID is supported on the Gaia computer. To make sure that RAID monitoring is supported, run the command `raid_diagnostic` and confirm that it shows the RAID status.
`biosFailure`	Notifies when the Primary BIOS failure is detected. Sent once the event occurs. Applies to computers with Dual BIOS.
`vrrpv2AuthFailure`	Notifies when the VRRP Cluster Member Security Gateway that is part of a cluster. has packet an authentication failure in VRRPv2 (IPv4) and VRRPv3 (IPv6). Sent each polling interval.
`vrrpv2NewMaster`	Notifies when the VRRP Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member transitioned to VRRP Master state in VRRPv2 (IPv4). Sent each polling interval.
`vrrpv3NewMaster`	Notifies when the VRRP Cluster Member transitioned to VRRP Master state in VRRPv3 (IPv6). Sent each polling interval.
`vrrpv3ProtoError`	Notifies when the VRRP Cluster Member has a protocol error in VRRPv2 (IPv4) and VRRPv3 (IPv6). Sent each polling interval.