topic Re: SNMP -v:3 on CP gateway in Firewall and Security Management

SNMP -v:3 on CP gateway

SWBW_Florian — Mon, 26 May 2025 07:36:05 GMT

hey there

i tried to monitor our VPN connections through SNMP and have some troubles doing that

for testing purposes i use the "Peassler SNMP Tester 5.2.1". I already tried powershell/cmd as well.

we have a cluster, one mgmt and 2 nodes. I created the user on both gateways and added the fw rules to reach them

i then downloaded the paessler snmp tester and implemented all data for the SNMPv3 test

i rechecked username,password and key multiple times and can confirm that they are definitively correct

i got auth fail issues, though

26.05.2025 09:29:15 (115 ms) : Value: Authentication failure (incorrect password, community or key) -35

What could be wrong here?

thanks in advance

Re: SNMP -v:3 on CP gateway

genisis__ — Mon, 26 May 2025 08:31:51 GMT

Can you paste your SNMPv3 config please (exclude password).
Also have you confirm SNMPv2 works first, I generally like to test SNMPv2 if v3 has issue. Also the only thing I've seen is if the NMS supports only SHA-1 but the Checkpoint GW (when its a new build) supports only SHA2 without a workaround.

Re: SNMP -v:3 on CP gateway

SWBW_Florian — Mon, 26 May 2025 09:42:40 GMT

at gaia its configured as you can see it in the attachment

Re: SNMP -v:3 on CP gateway

genisis__ — Mon, 26 May 2025 09:57:13 GMT

Does the NMS support SHA256? I this is where I've generally found to be a problem. There is away to set the gateway to use SHA-1, if you want to try this.

Re: SNMP -v:3 on CP gateway

SWBW_Florian — Mon, 26 May 2025 10:03:08 GMT

i just would try to switch to sha1. How to do that?

Re: SNMP -v:3 on CP gateway

genisis__ — Mon, 26 May 2025 12:27:35 GMT

I agree, I don't like the fact CP remove the ability to use SHA-1 for SNMP when you do a new build, as I think that decision should for the customer and there security policy to decide.
Do you know how to get SHA-1 available again? If not let me know.

Re: SNMP -v:3 on CP gateway

genisis__ — Mon, 26 May 2025 16:35:35 GMT

This is what I've done based on information from the community. Please note, that this is not supported by Checkpoint and I take no responsibility if there is an issue.

I know on the devices I've managed it works. I've used this on R81.x. I see no reason why it would not work on R82.x

clish:
add snmp usm user SNMPUser security-level authPriv auth-pass-phrase <Password> privacy-pass-phrase <Password> privacy-protocol AES authentication-protocol SHA256

expert:
dbset snmp:v3:user:SNMPUser:auth:proto .1.3.6.1.6.3.10.1.1.3

clish:
set snmp usm user SNMPUser vsid all (Only needed if you are using VSX)
show snmp usm user SNMPUser (Should report SHA-1)

Need to ensure you reset the password at this final stage
set snmp usm user SNMPUser security-level authPriv auth-pass-phrase <Password> privacy-pass-phrase <Password>
save config

Note:
If you upgrade or apply a jumbo, you may have to redo this.

Re: SNMP -v:3 on CP gateway

joerivang — Mon, 26 May 2025 16:48:15 GMT

This is also how we do it.