Enabling SNMP in Checkpoint

Checkpoint:-Enabling SNMP

Level: - Intermediate
Platform: - checkpoint R61, R62, UTM, VPN-1, nokia IP560, Nokia IP390
Author: - : Dinesh Aggarwal

You will be able to learn in this tutorial how to enable SNMP in checkpoint firewall running on Nokia IP560, Nokia IP390, IP690 and other Nokia firewall boxes. Once SNMP is enabled we can monitor the firewall for a number of performance parameters which can help you in troubleshooting a lot of things like number of connection, CPU utilization, memory utilization and much more...

Scenario: - We are talking a scenario where nokia boxes (IP560/Ip390 etc) are running and checkpoint is installed on that. We are enabling SNMP on checkpoint through nokia boxes.

Login to nokia box

Password:
Last login: Sat Jul  7 11:49:45 from 10.99.1.51
IPSO 4.2-BUILD031_HF001 #1515: 02.20.2007 221409
You have logged into Nokia IPSO Security Appliance.
Terminal type? [ansi]
testfw[admin]# cpconfig

This program will let you re-configure
your Check Point products configuration.

Configuration Options:
----------------------
(1)  Licenses
(2)  SNMP Extension
(3)  Group Permissions
(4)  PKCS#11 Token
(5)  Random Pool
(6)  Secure Internal Communication
(7)  Disable cluster membership for this gateway
(8)  Disable Check Point SecureXL
(9)  Automatic start of Check Point Products

(10) Exit

Enter your choice (1-10) : 2

 

Configuring SNMP Extension...
=============================
The SNMP daemon enables Check Point products module
to export its status to external network management tools.
Would you like to activate Check Point products SNMP daemon ? (y/n) [n] ? y

Configuration Options:
----------------------
(1)  Licenses
(2)  SNMP Extension
(3)  Group Permissions
(4)  PKCS#11 Token
(5)  Random Pool
(6)  Secure Internal Communication
(7)  Disable cluster membership for this gateway
(8)  Disable Check Point SecureXL
(9)  Automatic start of Check Point Products

(10) Exit

Enter your choice (1-10): 10

Thank You...

Caution:- Enabling SNMP on production network can cause in drop in connections in case you are not running firewall in active/active mode as checkpoint restarts the services.

You have changed Check Point products Configuration.
You need to restart ALL Check Point modules (performing cpstop & cpstart)
in order to activate the changes you have made.
Would you like to do it now? (y/n) [y] ? y
Stopping SmartView Monitor daemon ...
SmartView Monitor daemon is not running
Stopping SmartView Monitor kernel ...
Driver is Down.
FloodGate-1 is already stopped.
net:noksr:syncready 1 -> 0
VPN-1/FW-1 stopped
SVN Foundation: failed to stop cpd
SVN Foundation: cpWatchDog stopped
SVN Foundation stopped
cpstart: Power-Up self tests passed successfully

cpstart: Starting product - SVN Foundation

SVN Foundation: Starting cpWatchDog
SVN Foundation: cpd already running
SVN Foundation: Starting cpsnmpd
SVN Foundation started

cpstart: Starting product - VPN-1

FireWall-1: starting external VPN module -- OK
FireWall-1: Starting fwd

Jul 25 09:57:33 testfw [LOG_CRIT] kernel: FW-1: Hardware accelerator already st
arted.
SecureXL is already started.
Jul 25 09:57:53 testfw [LOG_CRIT] kernel: FW-1: setting external interface to e
th-s4p1c0
Jul 25 09:57:53 testfw [LOG_CRIT] kernel: Note: FW SXL Ver: 222050328, IPSO SXL
 Ver: 255061120
Jul 25 09:57:53 testfw [LOG_CRIT] kernel: FW-1: Nokia IPSO SecureXL device dete
cted.
Jul 25 09:57:53 testfw [LOG_CRIT] kernel: FW-1: SecureXL: Connection templates
are not possible for the installed policy (network quota is active). Please refe
r to the documentation for further details.
Successfully compiled file types magic file.
Fetching Security Policy from localhost succeeded
Jul 25 09:58:09 testfw [LOG_CRIT] kernel: FW-1: State synchronization is in ris
k. Please examine your synchronization network to avoid further problems !
Jul 25 09:58:09 testfw [LOG_CRIT] kernel: FW-1: Please refer to documentation f
or details on this issue. Any change must be applied to ALL cluster members
Jul 25 09:58:09 testfw [LOG_CRIT] kernel: FW-1: fwldbcast_recv: delta sync conn
ection with member 1 was lost and regained.1533 updates were lost.
Jul 25 09:58:09 testfw [LOG_CRIT] kernel: FW-1: fwldbcast_recv: received sequen
ce 0x4e51b2 (fragm 0, index 1), last processed seq 0x4e4bb4
Jul 25 09:56:42 testfw [LOG_NOTICE] xpand[886]: date set

(The above messages in bold are normal. Nothing to worry here)

Fetching Security Policy From: 10.10.10.1

 Local Policy is Up-To-Date.
 The Policy was not installed because it is the same as the Policy already on th
e Module.
FireWall-1 started

cpstart: Starting product - FloodGate-1

FloodGate-1 is disabled. If you wish to start the service, please run 'etmstart
enable'.

cpstart: Starting product - SmartView Monitor

Some Problems:-

Sometimes we need to manually issue cpstart command. Please make sure to check in smart view monitor the firewall is showing up in the cluster. This is not a normal behavior but to sort out this issue, this is the approach.

testfw[admin]# cpstart
cpstart: Power-Up self tests passed successfully

cpstart: Starting product - SVN Foundation

SVN Foundation: cpWatchDog already running
SVN Foundation: Starting cpd
SVN Foundation: cpsnmpd already running
SVN Foundation started

cpstart: Starting product - VPN-1

Fetching Security Policy From: 10.1.1.1

 Local Policy is Up-To-Date.
The Policy was not installed because it is the same as the Policy already on th
e Module.
FireWall-1 started

cpstart: Starting product - FloodGate-1

That’s it. You know how to enable the SNMP now. Just bear in mind that enabling SNMP on checkpoint involves cpstop and cpstop so do it carefully on the production network.

If you have any suggestions or want to add more to this article do write us an email articles@knowurtech.com

What Next?


If you liked this article, you can share it with others using the following link:


Related Content :