How to enable SNMP on CheckPoint SecurePlatform R75.30 and monitor with Observium
References: http://blog.lachmann.org/?p=1324
Create a DNS entry for your Firewall so that Observium can see it.
Launch SmartDashboard
Left-click on the firewall under Network Objects
Click Edit
On the left tree, click other
Under SNMP type in the following...
sysName
sysLocation
sysContact
Read community: <input community RO string>
Write community: <input community RW string>
Login via SSH into the firewall
Enable Expert mode by typing "expert" and putting in the password
1.1 Show existing users (=community string)
1.2 Delete user “public”
1.3 Create new user
1.4 Enable service
2. Enable Check Point SNMP extension
2.1 Check status
2.2 Enable extensions
Please note that this will cause a restart of Check Point services!
3. Check for correct SNMP configuration
The SNMP daemon is running on port 161, the Check Point SNMP daemon runs on port 260. The Check Point daemon can be queried by the normal SNMP daemon as he acts as a proxy.
4. Restart snmp daemon
5. Generate an access rule for SNMP polling from the firewall in your rule base.
6. Configure your system monitoring as you like.
For Nagios/Icinga I recommend the check_snmp_cpfw.pl plugin.
Go to observium and then click Devices > Add Device > and then add the FQDN of the Firewall and it should be added.
[Expert@firewall]# snmp user show
public 1.2 Delete user “public”
[Expert@firewall]# snmp user del public
Stopping snmpd: [ OK ]
/usr/sbin/snmpmonitor: Trap Server is not defined [ OK ]
[Expert@firewall]# 1.3 Create new user
[Expert@firewall]# snmp user add noauthuser YOURCOMMUNITYHERE
Stopping snmpd: [ OK ]
Starting snmpd: [ OK ]
[Expert@firewall]# /usr/sbin/snmpmonitor: Trap Server is not defined
[Expert@firewall]# 1.4 Enable service
[Expert@firewall]# snmp service enable
/usr/sbin/snmpmonitor: Trap Server is not defined [ OK ]
[Expert@firewall]#[Expert@firewall]# snmp service stat
SNMP service enabled and listening on port 161.
[Expert@firewall]# 2. Enable Check Point SNMP extension
2.1 Check status
[Expert@firewall]# cp_conf snmp get
Currently SNMP Extension is NOT active
[Expert@firewall]# 2.2 Enable extensions
Please note that this will cause a restart of Check Point services!
[Expert@firewall]#cp_conf snmp activate
(...) Restart messages for cpstop / cpstart
[Expert@firewall]#[Expert@firewall]# cp_conf snmp get
Currently SNMP Extension is active 3. Check for correct SNMP configuration
The SNMP daemon is running on port 161, the Check Point SNMP daemon runs on port 260. The Check Point daemon can be queried by the normal SNMP daemon as he acts as a proxy.
[Expert@firewall]# netstat -an | egrep -e "(:260|:161)"
udp 0 0 0.0.0.0:260 0.0.0.0:*
udp 0 0 0.0.0.0:161 0.0.0.0:* 4. Restart snmp daemon
[Expert@firewall]# snmp service disable
Stopping snmpd: [ OK ]
[Expert@firewall]# snmp service enable
/usr/sbin/snmpmonitor: Trap Server is not defined [ OK ] 5. Generate an access rule for SNMP polling from the firewall in your rule base.
6. Configure your system monitoring as you like.
For Nagios/Icinga I recommend the check_snmp_cpfw.pl plugin.
Go to observium and then click Devices > Add Device > and then add the FQDN of the Firewall and it should be added.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.