Checkpoint device modelling in Spectrum creating multiple models with the same ip address

book

Article ID: 210584

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

Checkpoint device modelling in Spectrum creating multiple models with the same ip address

Cause

This is functioning as designed when modeling the Checkpoint device using an snmp v3 community string. 

Environment

Release : Any

Component : Spectrum Modeling

Resolution

Reference the following from the "Certifying and supporting virtual systems within Check Point Firewall" section of the documentation:

Overview

10.2 certifies and enables discovery and modeling of virtual systems present in the Checkpoint Point Firewall.

Each Checkpoint Firewall has a Primary context and multiple Virtual contexts, which can be treated as separate Firewalls. The primary and virtual contexts share the same IP address, but maintain their own set of interfaces and routing tables. With SNMPv2, you cannot discover and model virtual systems, only the root context information can be fetched.

Warning

If you want to monitor virtual systems within a CheckPoint Firewall you need to have the Firewall configured with SNMPv3.

A separate container is created when DX NetOps Spectrum discovers a Check Point firewall device that has virtual systems. Using the context name to discover the virtual systems of the Checkpoint Firewall, DX NetOps Spectrum communicates with each virtual systems and fetches the corresponding interface information and other VPN, VSX, and connectivity related information.