Polling Check Point SNMP MIB on X-series
The following solution describes how to enable SNMP for polling Check Point MIBs.
Before configuring SNMP, Check Point SNMP extension must be enabled on the VAP group. This can be done using the following command from the CLI:
Modify the $FWDIR/conf/snmp.C to the same values used by the snmp manager to query. When populating the values enter your configurations in the () after the word "value".
IMPORTANT: Enabling the SNMP daemon at the Check Point level requires a restart of the firewall module.
Sample snmp.C:
(
: (
: (system.sysName.0
:value (chassis_hostname)
)
: (system.sysDescr.0
:value ("Crossbeam Check Point FireWall-1")
)
: (system.sysContact.0
:value ("Support")
)
: (system.sysLocation.0
:value ("Support LAB")
)
: (system.sysObjectID.0
:value (".1.3.6.1.4.1.2620.1.1")
)
)
:snmp_community (
:read (crossbeam)
:write () <--- not necessary to modify only for polling
)
)
NOTE: The system object ID should not be modified.
The Check Point MIB file needs to be imported into the SNMP manager. The location of the MIB file, ckpnt.mib, on the Check Point module is:
/opt/CPshrd-R55/lib/snmp/chkpnt.mib
or
$CPDIR/lib/snmp/chkpnt.mib
Create a rule for inbound traffic to the module on port 260 from the SNMP manager
Src: snmp-manager
dst: fw-ip reachable by snmp manager
service: FW1_snmp
action: accept
Track: Long
Testing will depend on the OS being used, but he ports and the version are important. Run the command:
snmpwalk -m </path to snmp mib file> -v 1 -c <community> -p 260 <ip of host> checkpoint
or
snmpwalk -m </path to snmp mib file> -v 1 -c <community> <ip of host>:260 checkpoint