Support Center > Search Results > SecureKnowledge Details
How to configure SNMP on SecurePlatform OS
Solution

Table of Contents

  • Action plan
  • Enabling the SNMP on SecurePlatform OS
  • Configuring the SNMP on SecurePlatform OS
    • (A) Configuring the SNMPD daemon
    • (B) Configuring the SNMP users
    • (C) Configuring the SNMP communities
  • Adding relevant security rules
  • Verification
  • Related documentation
  • Related solutions

 

Action plan

  1. Enable SNMP on SecurePlatform OS.

  2. Configure SNMP on SecurePlatform OS.

  3. Add the relevant security rules in SmartDashboard to allow SNMP traffic and install policy.

  4. Verify the SNMP works as expected on SecurePlatform OS.

 

Enabling the SNMP on SecurePlatform OS

  1. Connect to the SecurePlatform CLI (over SSH, or console).

  2. Log in to Expert Mode.

  3. Enable the SNMP Extension:

    1. Go to 'CPconfig' menu:

      [Expert@HostName]# cpconfig

    2. Select 'SNMP Extension'.

    3. Enter 'y' at the prompt and press the Enter key.

      At this point, both the operating system Management Information Base (MGMT branch 1.3.6.1.2.1.x) and the Check Point MIB (1.3.6.1.4.1.2620.x) start listening on UDP port 161.


  4. Enable the SNMP service:

    [Expert@HostName]# snmp service enable

 

Configuring the SNMP on SecurePlatform OS

(A) Configuring SNMP - settings for the SNMPD daemon - /etc/snmp/snmpd.conf

The file has several major parts:

  1. Must have component

    The following lines exist in the file by default and should not be removed:
    master agentx
    sysServices 76
    smuxpeer 1.3.6.1.4.1.4.3.1.4
    


  2. System information

    Contains location, owners, contact information, description, etc.

    sysLocation STRING
    sysContact STRING
    sysName STRING
    sysDescr STRING
    sysObjectID OID
    


  3. Community strings (SNMPv1 and SNMPv2c)

    This string acts as a password when querying the SNMP Agent.

    • For read-only access (GET and GETNEXT):
      rocommunity COMMUNITY_NAME [SOURCE [OID]]

    • For read-write access (GET, GETNEXT and SET):
      rwcommunity COMMUNITY_NAME [SOURCE [OID]]

    Notes:

    • The SOURCE token can be used to restrict access to requests from the specified system(s).
      A restricted source can either be a specific hostname (or specific IP address), or a subnet - represented as either IP_Address/Subnet_Mask (e.g., 10.10.10.0/255.255.255.0), or represented as IP_Address/Subnet_Mask_Length (e.g., 10.10.10.0/24).

      Note:
      If you need to limit the access from specific sources, then along with restricted sources, it is important to include the IP address of the Loopback interface 127.0.0.1. Otherwise you will not be able to query the system locally:
      [ro/rw]community COMMUNITY_NAME 127.0.0.1

    • The OID field restricts access for that community to the subtree rooted at the given OID.


  4. SNMP Trap settings

    Refer to SecurePlatform Administration Guide (R65, R70, R71, R75, R75.40, R75.40VS, R76, R77) - Chapter 'SNMP Support' - SNMP Monitoring.

    The relevant directives are 'cp_monitor' and 'trap2sink'.

 

(B) Configuring SNMP - settings for SNMP users - /etc/snmp/snmpd.users.conf

This file contains SNMPD daemon's users definitions.

Note: In some SNMP versions, no SNMP Traps will be sent, if the 'public' community is not defined in this file.

  1. Stop the SNMPD service:

    [Expert@HostName]# service snmpd stop

  2. Back up the current /etc/snmp/snmpd.users.conf file:

    [Expert@HostName]# cp /etc/snmp/snmpd.users.conf  /etc/snmp/snmpd.users.conf_ORIGINAL

  3. Add the relevant communities to the /etc/snmp/snmpd.users.conf file:

    Note:
    The community should be at least Read-Only (rocommunity).

    [Expert@HostName]# vi /etc/snmp/snmpd.users.conf

    rocommunity MY_COMMUNITY_NAME

  4. Start the SNMPD service:

    [Expert@HostName]# service snmpd start

  5. Verify the SNMPD daemon was started:

    [Expert@HostName]# ps auxw | grep -v grep | grep snmpd

 

(C) Configuring SNMP - setting SNMP communities for Check Point SNMP Agent - $FWDIR/conf/snmp.C

This file contains the configuration details for the Check Point SNMP Agent.

  1. Stop Check Point services:

    [Expert@HostName]# cpstop

  2. Backup the current $FWDIR/conf/snmp.C file:

    [Expert@HostName]# cp $FWDIR/conf/snmp.C  $FWDIR/conf/snmp.C_ORIGINAL

  3. Edit the current $FWDIR/conf/snmp.C file:

    [Expert@HostName]# vi $FWDIR/conf/snmp.C

  4. Find the line:

    :snmp_community

  5. Add the community name as needed (Read-Only, and/or Read-Write):
    :snmp_community (
                    :read (MY_COMMUNITY_NAME)
                    :write (MY_COMMUNITY_NAME)
    )
    


  6. Save the changes and exit from Vi editor.

  7. Start Check Point services:

    [Expert@HostName]# cpstart

 

Adding relevant security rules

  1. Connect with SmartDashboard to Security Management Server / Domain Management Server.

  2. Add the relevant security rules to allow the SNMP traffic:

    • To allow the 'SNMP Request' and 'SNMP Response', use the pre-defined service 'snmp'
    • To allow the SNMP Trap packets, use the pre-defined service 'snmp-trap'


  3. Install the policy onto the relevant Security Gateways / Clusters.

 

Verification

To verify that the SNMP is working as expected, run the following commands in Expert mode:

  1. Check that SNMPD daemon was started:

    [Expert@HostName]# ps aux | grep -v grep | grep snmp

  2. Check that the system is listening on port 161:

    [Expert@HostName]# netstat -an | grep -v grep | grep ':161'

  3. Check that the the system responds to OS MIB:

    [Expert@HostName]# snmpwalk -v 2c -c public 127.0.0.1  1.3.6.1.2.1

  4. Check that the the system responds to Check Point MIB:

    [Expert@HostName]# snmpwalk -v 2c -c public 127.0.0.1  1.3.6.1.4.1.2620

If you do not get a response, then the SNMP Agent is not running/configured correctly.

Refer to the list of related solutions below.

 

 

This solution is about products that are no longer supported and it will not be updated
Applies To:
  • This solution replaces sk34511

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment