How to enable SNMP on SecurePlatform Solution ID: sk34511 Product: SecurePlatform Version: All OS: SecurePlatform, SecurePlatform 2.

6 Date Created: 28-Feb-2008 Last Modified: 13-Feb-2012 Did this solution solve your problem? [Click on the stars to rate] Solution Procedure: Log in to the SecurePlatform CLI. Log in to Expert Mode. Configure the SNMP daemon: Go to 'CPconfig' menu: [Expert@HostName]# cpconfig Select 'SNMP Extension' Enter 'y' at the prompt and press the Enter key. At this point, both the operating system Management Information Base (MGMT branch 1.3.6.1.2.1.x) and the Check Point MIB (1.3.6.1.4.1.2620.x) are listening on port 161. Enable the SNMP service: [Expert@HostName]# snmp service enable To verify that the SNMP is running correctly, run the following commands: [Expert@HostName]# ps aux | grep snmp [Expert@HostName]# netstat -an | grep 161 [Expert@HostName]# snmpwalk -c public -v 2c 127.0.0.1 1.3.6.1.2.1 (to check the OS MIB) [Expert@HostName]# snmpwalk -v 2c -c public 127.0.0.1 1.3.6.1.4.1.2620 (to check the Check Point MIB)

If you do not get a response, the SNMP Agent is not running correctly.

The community name must be added in the $FWDIR/conf/snmp.C file. Procedure: Run the cpstop command. Open the $FWDIR/conf/snmp.C file in a text editor. Find the line: :snmp_community Add the community name as the "read" value, as shown in the following example: :snmp_community ( :read (community_name) :write ()

Save and exit the file. Run the cpstart command. To change the SNMP community name both for the Check Point and OS MIB, edit the /etc/snmp/snmpd.users.conf file.

Solution When need to use SNMP service monitoring there is a need to do the following: 1. Activating the SNMP service on the OS 2. Verifying the process is running properly 3. Configuring the SNMP configuration files: a. /etc/snmp/snmp.users.conf (Configuring the SNMP users) b. $FWDIR/conf/snmp.C (Configuring the SNMP communities) c. /etc/snmp/snmpd.conf (Configuring the SNMP General file) ( Traps, Ro communities, locations etc.)

4. Testing Traps Activation of the SNMP service: 1. Login to the SecurePlatform CLI. 2. Login to Expert Mode. 3. Enable the SNMP service by running the command: a. snmp service enable 161 4. Configure the SNMP daemon: a. Run the cpconfig command. b. Choose 'SNMP extensions'. 5. Enter 'y' at the prompt and press the "Enter" key. To verify that the SNMP is running correctly, run the following commands in Expert Mode 1. ps aux | grep snmp This should show the snmp process running. Example for a running process: [Expert@SNMP_DEMO]# ps aux | grep snmp root 3136 0.0 0.2 8380 4264 ? S Feb29 0:22 /usr/sbin/snmpd root 3186 0.0 0.1 4652 2392 ? S Feb29 0:00 /usr/sbin/snmpm 2. netstat -an | grep 161 This should show that there is a process listenining for port 161. Example for a running process: [Expert@SNMP_DEMO]# netstat -an | grep 161 udp 0 0 0.0.0.0:161 0.0.0.0:* 3. ps aux | grep cpsnmp

Verify that the Check Point process on top of the OS SNMP is running. Example for a running process: [Expert@SNMP_DEMO]# ps aux | grep cpsnmp root 3185 0.0 0.2 17632 4660 ? S Feb29 0:00 /usr/sbin/cpsnmpagentx 4. snmpwalk -c <Your community name> -v2c 127.0.0.1 1.3.6.1.2.1 (to check the OS MIB) A long list of all the machine MIBs should be displayed. 5. snmpwalk -c <your community name> -v2c 127.0.0.1 1.3.6.1.4.1.2620 (to check the Check Point MIB) A long list of all the machine MIBs should be displayed. Configuring the SNMP configuration files: /etc/snmp/snmp.users.conf (Configuring the SNMP users) This file contains snmp daemon's users definitions. ** In some snmp versions, no traps will be sent if the public user is deleted. If you are having issues with traps, please add public to the file** 1. Stop the snmp server by running: snmp service disable 2. Edit the files: vi /etc/snmp/snmp.users.conf 3. Add your community name to the file. Example of a file : [Expert@sssD]# cat /etc/snmp/snmpd.users.conf ################################################################### # # This file contains snmp daemon's users definitions # This file updated automatically by snmp configuration script

# So be very careful when making changes to this file # ################################################################### rocommunity SNMP_DEMO rocommunity public 4. Start the SNMP service by running: snmp service enable 161 $FWDIR/conf/snmp.C (Configuring the SNMP communities) The initial SNMP Communities (keys) are public and private for read and write, respectively. Changing default Community names minimizes security risks associated with the SNMP protocol. Check Point recommends using your VPN-1/FireWall-1 Security Policy to restrict use of SNMP traffic to an internal SNMP management IP. To enable SNMP information via the command line or another SNMP tool, modify the $FWDIR/conf/snmp.C file. This file contains the configuration details for the VPN-1/FireWall-1 SNMP agent. 1. Stop the snmp server by running: snmp service diable 2. vi $FWDIR/conf/snmp.C 3. Locate the snmp_community section. Set the values of the read and write attributes, as follows: :snmp_community :read ("community_name") :write ("community_name") ) 4. Replace "community_name" with your community name. 5. Save the file and exit. 6. Start the SNMP service by running : snmp service enable 161 /etc/snmp/snmpd.conf snmpd.conf is the file that hold most of the snmp configuration. In this file, you can configure the

various traps and access list that will be able to walk on the snmp service. The file has 5 major parts: 1. Must have component ( this is in the file by default and should not be removed ) The following lines need to be in the snmpd.conf files: master agentx sysservices 76 smuxpeer 1.3.6.1.4.1.4.3.1.4 2. System information System information can be added to the configuration file. This allows to query the system on: location, owners, contact info etc. Those are not must and do not need to be on the file, if not needed. syslocation "Here you can add information on the system location" syscontact "Here you can add information on the system owner and contact information" 3. Communityes string This string will allow remote systems to walk and query the current system. The string is "rocommunity <community name> <IP>" By specifying the IP, you make sure that only the systems with the specified IP can walk the system, it is important to include 127.0.0.1 Otherwise you will not be able to walk the system locally using lo interface to test and troubleshoot. If you leave the IP empty, ANY IP will be able to walk the system. Example : rocommunity SNMP_DEMO 127.0.0.1 rocommunity SNMP_DEMO 1.1.1.1

4. Trap strings trap2sink is the string that will generate the traps and will sent them to your "receiving" system. If you have more than one snmp receiver, you will need to have more than one trap2sink entries. By default, trap2sink works on port 162. Therefore, you do not need to specify it unless you would like to use a different port. ** Some SNMP versions do not support more then a single trap2sink. If you have an issue, try to use only a single entry. ** Syntax : trap2sink <sink-server>[:<port>] <community> For example : rocommunity SNMP_DEMO trap2sink 1.1.1.1 SNMP_DEMO trap2sink 2.2.2.2 SNMP_DEMO 5. cp_monitor cp_monitor is the collection of traps we would like to generate. Each trap is being generated by cp_monitor followed by an OID and a condition. For example : cp_monitor <OID> > 1 60 "TEST" Breakdown: The '>' means bigger then, we can also use ; == , != , <= , < , > , >= The '1' is the value we monitor. In some traps, we can also use text. The '60' means we are sending a trap every 60 seconds, if this condition is valid. If this value is not set, only one trap will be sent The "Test" is the syntax that will be sent with the trap.

The Check Point MIB / OID list can be found on the system you wish to monitor under "/opt/CPshrd-R<Version number>/lib/snmp" There are two files that hold the info: chkpnt.mib (This file specifies all the OIDs that can be be used for walk and trap.) chknt-trap.mib (This files specifies all the traps.) By reviewing the file, you can see which walks or traps you need to configure and what is the value for each status. An easy way to see the different functions and options that you can walk/trap is to download a free MIB walker and load the chkpnt.mib to the application Here is an example for a few common traps to monitor the firewall health: #Network cp_monitor 1.3.6.1.2.1.2.2.1.8.1 == 2 60 "link eth0 down" *** When monitoring the network link status, please note that the last number, (in this case 1), is the number of your card. In most cases, 0 is for lo interface, 1 is for eth 0, 2 for etch1, etc. Verify this before you configure your trap . You can always walk the interface to test the specific OID, or remove the last number to query all the interfaces. ** For example : Query a specific interface: [Expert@SNMP_DEMO]# snmpwalk -c nordread -v2c 127.0.0.1 1.3.6.1.2.1.2.2.1.8.1 IF-MIB::ifOperStatus.1 = INTEGER: up(1) Query all interfaces: [Expert@SNMP_DEMO]# snmpwalk -c nordread -v2c 127.0.0.1 1.3.6.1.2.1.2.2.1.8 IF-MIB::ifOperStatus.1 = INTEGER: up(1) IF-MIB::ifOperStatus.2 = INTEGER: up(1) IF-MIB::ifOperStatus.3 = INTEGER: up(1)

IF-MIB::ifOperStatus.4 = INTEGER: down(2) #Hardware cp_monitor 1.3.6.1.4.1.2021.10.1.5.1 > 99 60 "CPU load 1 min" ** This will monitor the cpu load and will report every 60 seconds when cpu is higher the 99%.** cp_monitor 1.3.6.1.4.1.2021.10.1.5.2 > 90 300 "CPU load 5 min" cp_monitor 1.3.6.1.4.1.2021.4.4.0 < 2000 60 "memAvailSwap" cp_monitor 1.3.6.1.4.1.2021.4.6.0 < 2000 60 "memAvailReal" cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.1.0 < 3000 20 "Case Fan speed is to low" ** This will monitor the FAN for CPU fan and will report if the fan rotates too slowly. ** cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.2.0 < 3000 20 "CPU 1 Fan speed is to low" cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.1.0 > 80 20 "M/B Temp is too high" cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.2.0 > 100 20 "CPU 1 Temp is too high" cp_monitor prErrorFlag.1 != "0" 60 "process monitor" cp_monitor dskErrorFlag.1 != 0 60 "disk monitor" #firewall cp_monitor 1.3.6.1.4.1.2620.1.1.25.3.0 > 500 60 "Current Connection is high " cp_monitor 1.3.6.1.4.1.2620.1.5.6.0 == "down" 60 "HA member is down " ** This will monitor if a cluster status has changed to down. ** cp_monitor 1.3.6.1.4.1.2620.1.5.6.0 == "active needs attention" 60 "HA member needs attention " ** This will monitor if a cluster status has changed to active needs attention. ** cp_monitor 1.3.6.1.4.1.2021.4.4.0 < 2000 60 "memAvailSwap To Low" cp_monitor 1.3.6.1.4.1.2021.4.6.0 < 2000 60 "memAvailReal To Low"

Testing traps: By adding a cp_monitor with a value that does not exist, we can generate traps to verify the system is operational and sending traps. Example : cp_monitor 1.3.6.1.2.1.2.2.1.2.1 != 6 20 "TEST loopback is up"

Sample of a full snmp.conf:

########################################################################### # # snmpd.conf # # - created by the snmpconf configuration program # ########################################################################### ########################################################################### # SECTION: Extending the Agent # # You can extend the snmp agent to have it return information # that you yourself define. # pass: Run a command that intepretes the request for an entire tree. # The pass program defined here will get called for all # requests below a certain point in the mib tree. It is then # responsible for returning the right data beyond that point. #

# arguments: miboid program # # example: pass .1.3.6.1.4.1.2021.255 /path/to/local/passtest # # See the snmpd.conf manual page for further information. # # Consider using "pass_persist" for a performance increase. master agentx ########################################################################### # SECTION: Monitor Various Aspects of the Running Host # # The following check up on various aspects of a host. # proc: Check for processes that should be running. # proc NAME [MAX=0] [MIN=0] # # NAME: the name of the process to check for. It must match # exactly (ie, http will not find httpd processes). # MAX: the maximum number allowed to be running. Defaults to 0. # MIN: the minimum number to be running. Defaults to 0. # # The results are reported in the prTable section of the UCD-SNMP-MIB tree # Special Case: When the min and max numbers are both 0, it assumes

# you want a max of infinity and a min of 1. # disk: Check for disk space usage of a partition. # The agent can check the amount of available disk space, and make # sure it is above a set limit. # # disk PATH [MIN=100000] # # PATH: mount path to the disk in question. # MIN: Disks with space below this value will have the Mib's errorFlag set. # Can be a raw byte value or a percentage followed by the % # symbol. Default value = 100000. # # The results are reported in the dskTable section of the UCD-SNMP-MIB tree # load: Check for unreasonable load average values. # Watch the load average levels on the machine. # # load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0] # # 1MAX: If the 1 minute load average is above this limit at query # time, the errorFlag will be set. # 5MAX: Similar, but for 5 min average. # 15MAX: Similar, but for 15 min average. #

# The results are reported in the laTable section of the UCD-SNMP-MIB tree ########################################################################### # SECTION: System Information Setup # # This section defines some of the information reported in # the "system" mib group in the mibII tree. # syslocation: The [typically physical] location of the system. # arguments: location_string syslocation "Server Room" # syscontact: The contact information for the administrator # arguments: contact_string syscontact "Call Support" # sysservices: The proper value for the sysServices object. # arguments: sysservices_number sysservices 76 ########################################################################### # SECTION: SNMP Autoconfiguration # # This section defines the configuration of SNMP traps and communities # as defined via the WebUI interface. #CP_COMMUNITY_INDEX 1 #CP_TRAP_INDEX 1

### CHECKPOINT AUTOMATIC COMMUNITY DEFINITION - DO NOT MODIFY!!! ### ### END CHECKPOINT AUTOMATIC COMMUNITY DEFINITION ### ### CHECKPOINT AUTOMATIC TRAP DEFINITION - DO NOT MODIFY!!! ### ### END CHECKPOINT AUTOMATIC TRAP DEFINITION ### ### CHECKPOINT TRAP SINK DEFINITION - DO NOT MODIFY!!! ### ### END CHECKPOINT TRAP SINK DEFINITION ### smuxpeer 1.3.6.1.4.1.4.3.1.4 #rocommunity rocommunity SNMP_DEMO 127.0.0.1 rocommunity SNMP_DEMO 1.1.1.1 rocommunity SNMP_DEMO 2.2.2.2 #trap2sink trap2sink 1.1.1.1 SNMP_DEMO trap2sink 2.2.2.2 SNMP_DEMO #Network cp_monitor 1.3.6.1.2.1.2.2.1.8.1 == 2 60 "link eth0 down" #Hardware cp_monitor 1.3.6.1.4.1.2021.10.1.5.1 > 100 60 "CPU load 1 min" cp_monitor 1.3.6.1.4.1.2021.10.1.5.2 > 90 300 "CPU load 5 min" cp_monitor 1.3.6.1.4.1.2021.4.4.0 < 2000 60 "memAvailSwap" cp_monitor 1.3.6.1.4.1.2021.4.6.0 < 2000 60 "memAvailReal" cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.1.0 < 3000 20 "Case Fan speed is to low" cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.2.0 < 3000 20 "CPU 1 Fan speed is to low"

cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.1.0 > 80 20 "M/B Temp is too high" cp_monitor 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.2.0 > 100 20 "CPU 1 Temp is too high" cp_monitor prErrorFlag.1 != "0" 60 "process monitor" cp_monitor dskErrorFlag.1 != 0 60 "disk monitor" #firewall cp_monitor 1.3.6.1.4.1.2620.1.1.25.3.0 > 500 60 "Current Connection is high " cp_monitor 1.3.6.1.4.1.2620.1.5.6.0 == "down" 60 "HA member is down " cp_monitor 1.3.6.1.4.1.2620.1.5.6.0 == "active needs attention" 60 "HA member needs attention " cp_monitor 1.3.6.1.4.1.2021.4.4.0 < 2000 60 "memAvailSwap To Low" cp_monitor 1.3.6.1.4.1.2021.4.6.0 < 2000 60 "memAvailReal To Low"