https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-interface-on-virtual-systems/m-p/69521#M9572 <P>Hi,</P><P>We have just enabled SNMP access to virtual systems on VSX hosts using direct SNMP access:</P><P>set snmp mode vs<BR />set snmp vs-direct-access on</P><P><BR />We have confirmed that this is working with both SNMP v2 and v3 using the internal interface of the virtual systems that is used for data traffic.</P><P>We are now planning to create a separate management interface for each vs, so that the SNMP traffic is separated and routed correctly. Would you recommend using the same VLAN for this interface as the management interface of the VSX hosts or do you see any advantage of using a separate monitoring VLAN on the virtual systems?</P><P>Thanks for your help!</P><P>Harry</P> Fri, 06 Dec 2019 10:59:13 GMT net-harry 2019-12-06T10:59:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-interface-on-virtual-systems/m-p/69521#M9572 <P>Hi,</P><P>We have just enabled SNMP access to virtual systems on VSX hosts using direct SNMP access:</P><P>set snmp mode vs<BR />set snmp vs-direct-access on</P><P><BR />We have confirmed that this is working with both SNMP v2 and v3 using the internal interface of the virtual systems that is used for data traffic.</P><P>We are now planning to create a separate management interface for each vs, so that the SNMP traffic is separated and routed correctly. Would you recommend using the same VLAN for this interface as the management interface of the VSX hosts or do you see any advantage of using a separate monitoring VLAN on the virtual systems?</P><P>Thanks for your help!</P><P>Harry</P> Fri, 06 Dec 2019 10:59:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-interface-on-virtual-systems/m-p/69521#M9572 net-harry 2019-12-06T10:59:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-interface-on-virtual-systems/m-p/69523#M9573 <P>I would personally keep out of the VSX Cluster Management Interface VLAN, I like to keep that just for the actual VSX Management Traffic</P><P>SNMPv3 is already encrypted (we always use the option to encrypt anyway) so not sure from a Security perspective too much benefit there and are you really generating enough traffic with SNMP that going to impact regular network traffic.</P><P>If you already have a separate Management Network that already using for monitoring/management of other Network Devices etc then would suggest that wouldn't hurt to add an Interface in the VS to that VLAN as already done the majority of the work.</P><P>Obviously need to ensure that the SNMP connection wouldn't be reachable by multiple interfaces though of course that would be normal network design practice anyway.</P> Fri, 06 Dec 2019 11:15:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-interface-on-virtual-systems/m-p/69523#M9573 mdjmcnally 2019-12-06T11:15:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-interface-on-virtual-systems/m-p/69537#M9574 <P>Thank you very much for the feedback!</P><P>We have a separate management network, but I agree that it is worth considering if a new VLAN only for the SNMP traffic is actually valuable.</P><P>Best regards,</P><P>Harry</P> Fri, 06 Dec 2019 13:22:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-interface-on-virtual-systems/m-p/69537#M9574 net-harry 2019-12-06T13:22:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-interface-on-virtual-systems/m-p/69539#M9575 Don't forget to also add access to the VS's for the V3 user:<BR />set snmp usm user &lt;v3-user&gt; vsid 1-5 Fri, 06 Dec 2019 13:25:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-interface-on-virtual-systems/m-p/69539#M9575 Maarten_Sjouw 2019-12-06T13:25:37Z