SNMP for Security Group Members

Important - This topic described the steps to get SNMP data from a specific Security Group Member.

To get aggregated SNMP data from all Security Group Members, see SNMP for Security Groups.

Background

By default, when you query a Security Group over SNMP, you can get only these data:

SNMP data only from the Security Group Member that accepted the SNMP connections:
- If the connection arrives at the "Mgmt" port assigned to the Security Group, then the Single Management Object (SMO) Security Group Member accepts it.
- If the connection arrives at one of the Data ports assigned to the Security Group, then one of the Security Group Members accepts it (based on the Source IP Address / Port and the Destination IP Address / Port).
Aggregated SNMP data from all Security Group Members (with the SNMP OID branch "asg").

To get SNMP data from a specific Security Group Member , we use the SNMPv3 proxy feature "ContextName".

SNMP flow:

An SNMP client sends the required SNMP query to the Security Group for the specified Security Group Member.
A Security Group Member that accepts the SNMP connection forwards it to the specified Security Group Member over the internal synchronization network.
The specified Security Group Member responds with the SNMP data (over the internal synchronization network) to the Security Group Member that accepted the SNMP connection.
The Security Group Member that accepted the SNMP connection, responds with the SNMP data to the SNMP client.

The SNMP Client is unaware of this SNMP proxy feature on the Security Group Member. From the SNMP Client point of view, the SNMP connection is established directly the specified Security Group Member.

Limitations

This feature supports a maximum of 10 Security Group Members in a Security Group.
In the Traditional VSX mode, it is not supported to send SNMP queries to the IP addresses of Virtual Systems other than VS0 (the SNMP VS mode "vs-direct-access" is not supported). This is because the internal synchronization interface is not available in the context of Virtual Systems other than VS0.

Prerequisites

Step

Instructions

On the Security Group, in Gaia Portal or Gaia gClish:

Enable the SNMP Agent.
Configure an SNMP v3 user with these settings:
1. Security Level "authPriv"
2. Authentication Protocol and Authentication Pass phrase
3. Privacy Protocol and Privacy Pass phrase

See the R82 Gaia Administration Guide > Chapter "System Management" > Section "SNMP".

Important - In the VSNext / Traditional VSX mode, this SNMP v3 user must have access to the required Virtual Gateways / Legacy Virtual Systems:

set snmp usm user <SNMPv3 USM User> vsid <Range of VSIDs>

Upload these Check Point MIB files from the Security Group to your third-party SNMP monitoring software:

The SNMP MIB file:

$CPDIR/lib/snmp/chkpnt.mib
The SNMP Trap MIB file:

$CPDIR/lib/snmp/chkpnt-trap.mib

(The /etc/snmp/GaiaTrapsMIB.mib file is not supported.)

In the Access Control policy, configure this explicit rule for the SNMP traffic (UDP port 161) in the internal synchronization network and install this policy on the applicable Security Gateway object for this Security Group:

Name

Source

Destination

VPN

Services & Applications

Action

Track

Install On

SNMP for

Security

Group

Members

Network

Object

for the IP

address

192.0.2.0 / 24

Network

Object

for the IP

address

192.0.2.0 / 24

Any

snmp

Accept

Log

None

Policy Targets

Enabling SNMP for Specific Security Group Members

Procedure

Step

Instructions

Connect to the command line on the Security Group.

Enable SNMP per Security Group Member:

With the Context Distribution mode.
For the applicable SNMPv3 USM user.

set snmp snmp-per-member state on mode ctx-dist user <SNMPv3 USM User>

Notes:

You must enter the SNMPv3 USM user explicitly.

This command does not suggest a list of configured SNMPv3 USM users.
The command must return this line for each Security Group Member:

"SNMP Per Member configuration finished successfully"

Examine the state of the SNMP per Security Group Member feature:

show snmp snmp-per-member state

The command must return "on" for each Security Group Member.

Run the applicable SNMPv3 query:

snmpwalk -v 3 -u <SNMPv3 USM User> -l <AuthenticationLevel> -a <AuthenticationProtocol> -A <AuthenticationPhrase> -x PrivacyProtocol -X PrivacyPhrase <IP Address of Security Group> -n <Name of SNMPv3 Context for Security Group Member> <SNMP OID>

Example for the Security Group Member 1_2 and the Check Point SNMP OID "svn.sysInfo.sysDescr":

snmpwalk -v 3 -u MyUsmUser -l AuthPriv -a SHA256 -A MyUsmAuthPhrase -x AES256 -X MyUsmPrivacyPhrase 172.16.103.220 -n MEMBER1_2 .1.3.6.1.4.1.2620.1.6.23.1.0

CLI Syntax for SNMP configuration

set snmp snmp-per-member

state on mode <Mode> user <SNMPv3 USM User>

state off

show snmp snmp-per-member {mode
| state
| user}

CLI Parameters for SNMP configuration

Parameter	Description
`mode <Mode>`	Specifies the mode for the SNMP per Security Group Member feature. Press the TAB key to see the available options.
`user <SNMPv3 USM User>`	Specifies the SNMPv3 USM User you created in Gaia OS. See Prerequisites.

Parameter

Description

mode <Mode>

Specifies the mode for the SNMP per Security Group Member feature.

Press the TAB key to see the available options.

user <SNMPv3 USM User>

Specifies the SNMPv3 USM User you created in Gaia OS.

See Prerequisites.

CLI Syntax for SNMP query (based on 'snmpwalk')

snmpwalk -v 3 -u <SNMPv3 USM User> -l <AuthenticationLevel> -a <AuthenticationProtocol> -A <AuthenticationPhrase> -x <PrivacyProtocol> -X <PrivacyPhrase> <IP Address of Security Group> -n <Name of SNMPv3 Context for Security Group Member> <SNMP OID>

CLI Parameters for SNMP query

Parameter	Description
`-u <SNMPv3 USM User>`	Specifies the SNMPv3 USM User you created in Gaia OS. See Prerequisites.
`-l <AuthenticationLevel>`	Specifies the SNMPv3 Authentication Level. This feature requires "`AuthPriv`".
`-a <AuthenticationProtocol>`	Specifies the SNMPv3 Authentication Protocol.
`-A <AuthenticationPhrase>`	Specifies the SNMPv3 Authentication Passphrase.
`-x <PrivacyProtocol>`	Specifies the SNMPv3 Privacy Protocol.
`-X <PrivacyPhrase>`	Specifies the SNMPv3 Privacy Passphrase.
`<IP Address of Security Group>`	Specifies the IP address of the Security Group / ElasticXL Cluster.
`-n <Name of SNMPv3 Context for Security Group Member>`	Specifies the Security Group Member to query. You must use the correct string as listed below. On Site 1: `MEMBER1_1` `MEMBER1_2` ... `MEMBER1_10` On Site 2: `MEMBER2_1` `MEMBER2_2` ... `MEMBER2_10`
`<SNMP OID>`	Specifies the SNMP OID to query.

Files

/var/log/snmp_per_member.log

Log file.

/etc/snmp/scalable_platform.conf

Internal configuration file.

Important:

Do not edit this file manually.

Use only the Gaia gClish command "set snmp snmp-per-member".
Gaia OS also saves the required settings in its database.

To see these settings, run in the Expert mode:

dbget -rva snmp:per_member