Polling Check Point SNMP MIB on X-series

book

Article ID: 167983

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Polling Check Point SNMP MIB on X-series
Check Point application does not employ Blue Coat SNMP daemon to poll Check Point MIBs. Instead, Check Point SNMP extension must be enabled and configured.

Cause

The following solution describes how to enable SNMP for polling Check Point MIBs.

Resolution

Enabling SNMP on Check Point application

Before configuring SNMP, Check Point SNMP extension must be enabled on the VAP group. This can be done using the following command from the CLI:

application <app-name> vap-group <vap-group-name> configure

From the menu choose the following option in order to enable SNMP and answer yes:
2. SNMP Extension
 

Configuring SNMP on the Modules

Modify the $FWDIR/conf/snmp.C to the same values used by the snmp manager to query. When populating the values enter your configurations in the () after the word "value".

IMPORTANT: Enabling the SNMP daemon at the Check Point level requires a restart of the firewall module.

Sample snmp.C:

(

: (
: (system.sysName.0
:value (chassis_hostname)
)
: (system.sysDescr.0
:value ("Crossbeam Check Point FireWall-1")
)
: (system.sysContact.0
:value ("Support")
)
: (system.sysLocation.0
:value ("Support LAB")
)
: (system.sysObjectID.0
:value (".1.3.6.1.4.1.2620.1.1")
)
)
:snmp_community (
:read (crossbeam)
:write () <--- not necessary to modify only for polling
)
)

NOTE: The system object ID should not be modified.

Enabling SNMP on Check Point on the SNMP Manager:

The Check Point MIB file needs to be imported into the SNMP manager. The location of the MIB file, ckpnt.mib, on the Check Point module is:

/opt/CPshrd-R55/lib/snmp/chkpnt.mib

or

$CPDIR/lib/snmp/chkpnt.mib

Enabling SNMP on Check Point Within SmartDashboard:

Create a rule for inbound traffic to the module on port 260 from the SNMP manager

Src: snmp-manager
dst: fw-ip reachable by snmp manager
service: FW1_snmp
action: accept
Track: Long

Testing will depend on the OS being used, but he ports and the version are important. Run the command:

snmpwalk -m </path to snmp mib file> -v 1 -c <community> -p 260 <ip of host> checkpoint

or

snmpwalk -m </path to snmp mib file> -v 1 -c <community> <ip of host>:260 checkpoint

Workaround

N/A