Working with SNMP Monitoring Thresholds

You can configure a variety of different SNMP thresholds that generate SNMP traps, or alerts. You can use these thresholds to monitor many system components automatically without requesting information from each object or device. The categories of thresholds that you can configure include:

Some categories apply only to some machines or deployments.

In each category there are many individual thresholds that you can set. For example, the hardware category includes alerts for the state of the RAID disk, the state of the temperature sensor, the state of the fan speed sensor, and others. For each individual threshold, you can configure:

  • If it is enabled or disabled

  • How frequently alerts are sent

  • The severity of the alert

  • The threshold point (if necessary)

  • Where the alerts are sent to

You can also configure some settings globally, such as how often alerts are send and where they are sent to.

Types of Alerts

  • Active alerts are sent when a threshold point is passed or the status of a monitored component is problematic.

  • Clear alerts are sent when the problem is resolved and the component has returned to its normal value. Clear alerts look like active alerts but the severity is set to 0.

Configuring SNMP Monitoring Thresholds

Configure the SNMP monitoring thresholds in the command line of the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.. When you install the policy on the Security Gateways. the SNMP monitoring thresholds are applied globally to these Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

Configuring SNMP thresholds on a Multi-Domain Server

In a Multi-Domain Security Management environment, you can configure thresholds on the Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. and on each individual Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

Thresholds that you configure on the Multi-Domain Server lkevel are for the Multi-Domain Server only.

Thresholds that you configure for a Domain Management Server are for that Domain Management Server and its managed Security Gateways. If a threshold applies to the Multi-Domain Server and the Security Gateways managed by the Domain Management Server, set it on the Multi-Domain Server and Domain Management Server. But in this situation you can only get alerts from the Multi-Domain Server if the threshold passed.

For example, because the Multi-Domain Server and Domain Management Server are on the same machine, if the CPU threshold is passed, it applies to both of them. But only the Multi-Domain Server generates alerts.

You can see the Multi-Domain Security Management level for each threshold with the "threshold_config" command.

  • If the Multi-Domain Security Management level for a threshold is Multi-Domain Server:

    Alerts are generated for the Multi-Domain Server when the threshold point is passed.

  • If the Multi-Domain Security Management level for a threshold is Multi-Domain Server and Domain Management Server:

    Alerts are generated for the Multi-Domain Server and Domain Management Servers separately when the threshold point is passed.

Configuring a SNMP thresholds on Security Gateways

You can configure SNMP thresholds locally on a Security Gateway with the same procedure that you do on a Security Management Server. But each time you install a policy on the Security Gateway, the local settings are erased and it reverts to the global SNMP threshold settings.

You can use the "threshold_config" command to save the configuration file and load it again later.

The configuration file that you can back up is: $FWDIR/conf/thresholds.conf

For more information about the "threshold_config" command, see the R81 CLI Reference Guide.

Configuration Procedures

There is one primary command to configure the thresholds in the command line - threshold_config. You must be in the Expert mode to run it. After you run the threshold_config command, follow the on-screen instructions to make selections and configure the global settings and each threshold.

When you run threshold_config, you get these options:

  • Show policy name - Shows you the name configured for the threshold policy.

  • Set policy name - Lets you set a name for the threshold policy.

  • Save policy - Lets you save the policy.

  • Save policy to file - Lets you export the policy to a file.

  • Load policy from file - Lets you import a threshold policy from a file.

  • Configure global alert settings - Lets you configure global settings for how frequently alerts are sent and how many alerts are sent.

  • Configure alert destinations - Lets you configure a location or locations where the SNMP alerts are sent.

  • View thresholds overview - Shows a list of all thresholds that you can set including: the category of the threshold, if it is active or disabled, the threshold point (if relevant), and a short description of what it monitors.

  • Configure thresholds - Opens the list of threshold categories to let you select thresholds to configure.

Configure Global Alert Settings

If you select Configure global alert settings, you can configure global settings for how frequently alerts are sent and how many alerts are sent. You can configure these settings for each threshold. If a threshold does not have its own alert settings, it uses the global settings by default.

You can configure these options:

  • Enter Alert Repetitions - How many alerts are sent when an active alert is triggered. If you enter 0, alerts are sent until the problem is fixed.

  • Enter Alert Repetitions Delay - How long the system waits between it sends active alerts.

  • Enter Clear Alert Repetitions - How many clear alerts are sent after a threshold returns to a regular value.

  • Enter Clear Alert Repetitions Delay - How long the system waits between it sends clear alerts.

Configure Alert Destinations

If you select Configure Alert Destinations, you can add and remove destinations for where the alerts are sent. You can see a list of the configured destinations. A destination is usually an NMS (Network Management System) or a Check PointLog Server.

After you enter the details for a destination, the CLI asks if the destination applies to all thresholds.

  • If you enter yes, alerts for all thresholds are sent to that destination, unless you remove the destination from an individual threshold.

  • If you enter no, no alerts are sent to that destination by default. But for each individual threshold, you can configure the destinations and you can add destinations that were not applied to all thresholds.

For each threshold, you can choose to which of the alert destinations its alerts are sent. If you do not define alert destination settings for a threshold, it sends alerts to all of the destinations that you applied to all thresholds.

For each alert destination enter:

  • Name - An identifying name.

  • IP - The IP address of the destination.

  • Port - Through which port it is accessed

  • Ver - The version on SNMP that it uses

  • Other data - Some versions of SNMP require more data. Enter the data that is supplied for that SNMP version.

Configure Thresholds

If you select Configure thresholds, you see a list of the categories of thresholds, including:

  • Hardware

  • High Availability

  • Networking

  • Resources

  • Log Server Connectivity

Some categories apply only to some machines or deployments. For example, Hardware applies only to Check Point appliances and High Availability applies only to clusters or High Availability deployments.

Select a category to see the thresholds in it. Each threshold can have these options:

  • Enable/Disable Threshold - If the threshold is enabled, the system sends alerts when there is a problem. If it is disabled it does not generate alerts.

  • Set Severity - You can give each threshold a severity setting. The options are: Low, Medium, High, and Critical. The severity level shows in the alerts and in SmartView Monitor. It lets you know quickly how important the alert is.

  • Set Repetitions - Set how frequently and how many alerts will be sent when the threshold is passed. If you do not configure this, it uses the global alert settings.

  • Set Threshold Point - Enter the value that will cause active alerts when it is passed. Enter the number only, without a unit of measurement.

    • Remove from destinations - If you select this, alerts for this threshold are not sent to the selected destination.

    • Add a destination - If you configured a destination in the global alert destinations but did not apply it to all thresholds, you can add it to the threshold.

    • Disable clear alerts - Cleared alerts for this threshold are not sent to the selected destination. Active alerts are sent.

Completing the Configuration

  1. On the Security Management Server, install the policy on all Security Gateways.

    1. Run: cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"

    2. Run: cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"

Monitoring SNMP Thresholds

You can see an overview of the SNMP thresholds that you configure in SmartView Monitor.

To see an overview of the SNMP thresholds:

  1. Open SmartView Monitor and select a Security Gateway.

  2. In the summary of the Security Gateway data that open in the bottom pane, click System Information.

  3. In the new pane that opens, click Thresholds.

    In the pane that opens, you can see these details:

      • Policy name - The name that you set for the policy in the CLI.

      • State - If the policy is enabled or disabled.

      • Thresholds - How many thresholds are enabled.

      • Active events - How many thresholds are currently sending alerts.

      • Generated Events - How many not active thresholds became active since the policy was installed.

      • Name - The name of the alert (given in the CLI).

      • Category - The category of the alert (given in the CLI), for example, Hardware or Resources.

      • MIB object - The name of the object as recorded in the MIB file.

      • MIB object value - The value of the object when the threshold became active, as recorded in the MIB file.

      • State - The status of the object: active or clearing (passed the threshold but returns to usual value).

      • Severity - The severity of that threshold, as you configured for it in the CLI.

      • Activation time - When was the alert first sent.

      • Name - The name of the location.

      • Type - The type of location. For example, a Log Server or NMS.

      • State - If logs are sent from the Security Gateway or Security Management Server to the destination machine.

      • Alert Count - How many alerts were sent to the destination from when the policy started.

    • For example, the Security Gateway cannot monitor RAID sensors on a machine that does not have RAID sensors. Therefore, it shows an error for the RAID Sensor Threshold.

      • Threshold Name - The name of the threshold with an error.

      • Error - A description of the error.

      • Time of Error - When the error first occurred.