SNMP Monitoring
For more about using SNMP, see:
-
R81 Gaia Administration Guide - Chapter System Management - Section SNMP
Supported SNMP Versions
SNMP v1, v2c, and v3 are supported in all monitor modes.
|
|
Note - For SNMP queries of Virtual Devices using the VS0 IP address:
|
Supported SNMP Modes
-
SNMP Default Mode
-
SNMP VS Mode
-
SNMP VS in vs-direct access mode
SNMP Default Mode
In SNMP default mode:
-
The SNMP daemon runs only in the context of VS0 (the VSX Gateway
Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0.). -
The VS0 SNMP daemon has a set of tables with counters (VSX SNMP tree) for each Virtual Device.
-
SNMP queries must be sent to IP address of the VSX Gateway (context is VS0).
|
Item |
Description |
|
Item |
Description |
|---|---|---|---|---|
|
1 |
SNMP Server that sends SNMP Requests to VSX Gateway |
|
6 |
|
|
2 |
eth0 |
|
7 |
Virtual System in Bridge mode |
|
3 |
VSX Gateway |
|
8 |
|
|
4 |
SNMP Daemon |
|
9 |
|
|
5 |
Virtual System 0 |
|
|
|
SNMP VS Mode
In SNMP VS mode:
-
Each Virtual Device has separate SNMP daemon running in the context of that Virtual Device.
-
Query for Virtual Devices uses the VS0 IP address.
-
You must run the SNMP query using the interface on the VSX Gateway.
-
The query is relayed to the specified Virtual Device.
-
The Virtual Device sends the response through the same VSX Gateway interface.
-
-
The VS ID must be specified in the SNMP query.
|
|
Note - Default mode query functionality is not decreased when you enable SNMP VS mode. |
SNMP VS in the "vs-direct-access" Mode
-
SNMP VS in the
vs-direct-accessmode is available only when the SNMP VS mode is enabled. -
Enables SNMP queries on the IP address of a Virtual System (not only VS0), or Virtual Router.
Notes:
-
For cluster
Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. deployments, you can query only Virtual IP addresses. -
Only Virtual Devices with an IP address can be queried, not Virtual Switches or Virtual Bridges.
-
Configuring SNMP Modes
Each Virtual System must meet these requirements:
SNMP USM user
-
To use SNMP v3 queries, an SNMP USM user must be defined.
For more on USM user creation commands, see the R81 Gaia Administration Guide.
-
To use SNMP v3 queries on VSX, the USM user must be configured with the allowed Virtual Devices:
set snmp usm user <User_Name> vsid <VSID> -
By default, a USM user in VSX has no allowed Virtual Devices.
Allowed interfaces
If you enable the vs-direct-access mode, the Virtual System accepts SNMP queries on all the interfaces.
To prevent SNMP queries for a specified interface, add a new rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. to the policy that blocks SNMP traffic on that interface.
Query source
In the vs mode and the vs-direct-access mode, there is no specification for query source.
All sources allowed in the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. are valid.
Running SNMP Queries
When you query a Virtual System Load Sharing VSX Cluster technology that assigns Virtual System traffic to different Active Cluster Members. Acronym: VSLS. cluster with the VSX Cluster Member Security Gateway that is part of a cluster. (VS 0) Virtual IP address, the Virtual System on the Active VSX Cluster Member (VS 0) replies to the query.
An Active Virtual System on a Standby VSX Cluster Member does not reply to the query.
If you want to query the Active Virtual System on a Standby VSX Cluster Member, use the real IP address of the VSX Cluster Member.
SNMP Configuration
See the R81 Gaia Administration Guide and sk90860: How to configure SNMP on Gaia OS.
|
To Configure |
Run |
|---|---|
|
SNMP Default |
|
|
SNMP mode VS |
|
|
SNMP direct-vs-access |
|
Example SNMP queries for Virtual Systems
This section shows example SNMP queries.
To run an SNMP v3 query using the VSX (VS 0) IP address
-
Enable the SNMP agent for context VS:
set snmp agent on -
Add an SNMP user with permissions for VSs 2,15:
add snmp usm user admin security-level authNoPriv auth-pass-phrase abcd1234set snmp usm user admin vsid 2,15 -
Set SNMP VS mode:
set snmp mode vs -
Send the remote queries, where:
-
vsidNis the SNMP context name required by SNMP v3. -
The IP address is the management IP address of the VSX Gateway or VSX Cluster.
For example (in the Expert mode):
snmpwalk -n vsid2 -v 3 -l authNoPriv -u admin -A abcd1234 192.0.2.5 ifDescsnmpwalk -n vsid15 -v 3 -l authNoPriv -u admin -A abcd1234 192.0.2.5 sysName192.0.2.5 is the IP address of the Management Server
Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.. -
To run an SNMP v1/v2c query using the VSX (VS 0) IP Address
-
Enable the SNMP agent for context VS 0:
set snmp agent on -
Enable SNMP v1/v2:
set snmp agent-version any -
Set the SNMP community:
set snmp community public read-onlyset snmp community private read-write -
Set the SNMP mode to VS:
set snmp mode vs -
Send remote queries, where:
-
The community has the VSID or Virtual System name as a suffix.
-
The IP address is the Management IP address of the VSX Gateway or VSX Cluster.
For example, to query a Virtual System with the name "MY_VS" or has VSID "2", run
In the Expert mode, run:
snmpwalk -v 1 -c public_2 192.0.2.5 ifDescrsnmpwalk -v 1 -c private_MY_VS 192.0.2.5 ifDescr -
Communities with suffixes are created automatically.
Community name collisions might occur in special cases, for example if we use these communities:
-
Read-only community =
private -
Read-write community =
private_1
The communities' private_1 and private_1_1 are automatically created for VSID 1.
Private_1 is not a unique community. The community is ambiguous and using it results in unexpected behavior.
To run an SNMP query using the Virtual Device's IP address
-
Enable the SNMP agent for context VS0:
set snmp agent on -
Add an SNMP user:
add snmp usm user admin security-level authNoPriv auth-pass-phrase abcd1234 -
Specify USM user permissions for Virtual Devices:
set snmp usm user admin vsid 0-10 -
Set the SNMP community:
set snmp community public read-onlyset snmp community private read-write -
Set SNMP VS mode:
set snmp mode vs -
Enable SNMP queries over Virtual Device's interfaces:
set snmp vs-direct-access on -
Send remote queries, where the IP address is the Virtual IP address of the Virtual Device.
In the Expert mode, run:
snmpwalk -v 1 -c public 192.0.2.81 ifDescrsnmpwalk -v 2c -c public 192.0.2.81 ifDescrsnmpwalk -v 1 -c private 192.0.2.82 ifDescrsnmpwalk -v 2c -c private 192.0.2.82 ifDescrsnmpwalk -v 3 -l authNoPriv -u admin -A abcd1234 192.0.2.83 ifDescr
|
|
Notes:
|
|
|
Important - SNMP traps are available only for VS 0 |
The VSX SNMP Tree
To get information from a Virtual Device (Virtual System, Virtual Switch, or Virtual Router), you must load the Check Point MIB file into your SNMP Browser.
-
The MIB file on the VSX Gateway (context of VS 0) is:
$CPDIR/lib/snmp/chkpnt.mib -
The VSX OID is:
.1.3.6.1.4.1.2620.1.16
Example commands in the Expert mode:
-
To run an SNMP v2c query for VSX status table, run:
snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -c public -v 2c 192.0.2.83 vsxStatusTable -
To run an SNMP v3 query for the VSX memory usage table, run:
snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -v 3 -l authNoPriv -u admin -A abcd1234 192.0.2.83 vsxStatusMemoryUsageTable
The vsxCountersTable refresh time:
The vsxCountersTable refresh time is configured in this file:
$FWDIR/conf/amon_vsx_refresh_interval
The default value is 30 (seconds).