topic Re: Clish quirk with SNMP config in General Topics

Clish quirk with SNMP config

Bob_Zimmerman — Tue, 09 Jan 2024 22:36:22 GMT

While trying to make my firewalls' configurations more consistent, I noticed something weird. Here it is reproduced on one of my personal boxes:

[Expert@DallasSA]# clish -c "show configuration" | grep snmp set snmp agent-version any set snmp community public read-only set snmp agent-version v3-Only ... [Expert@DallasSA]# clish DallasSA> delete snmp community public NMSSNM0075 SNMP v3-Only does not support community string. DallasSA> set snmp agent-version any DallasSA> delete snmp community public DallasSA> set snmp agent-version v3-only DallasSA> save config DallasSA> exit [Expert@DallasSA]# clish -c "show configuration" | grep snmp set snmp agent-version v3-Only ... [Expert@DallasSA]# fw ver This is Check Point's software version R81.10 - Build 055 [Expert@DallasSA]# cpinfo -y fw1 | grep Take This is Check Point CPinfo Build 914000239 for GAIA HOTFIX_R81_10_JUMBO_HF_MAIN Take: 129

It's possible for the clish config to have both "set snmp agent-version any" and "set snmp agent-version v3-Only" in it at the same time. When these lines are both present in the config, you have to enter "set snmp agent-version any" again in order to interact with the v2 community causing the "agent-version any" line to stick around. Once you have deleted it, you can switch to v3-Only and the "agent-version any" line actually goes away.

Seems like at least two minor bugs in clish.

Re: Clish quirk with SNMP config

nitzanef — Wed, 31 Jan 2024 14:28:33 GMT

This is by design, not a bug.
This behavior is to save the configuration when switching to version any (v1/v2/v3) or when implementing the configuration on different machine (see PMTR-68517)

Nitzan

Re: Clish quirk with SNMP config

the_rock — Wed, 31 Jan 2024 14:49:26 GMT

I get same thing on R81.20 jumbo 41

Andy

Re: Clish quirk with SNMP config

the_rock — Wed, 31 Jan 2024 14:50:15 GMT

Btw, customers cant see that PMTR, thats internal to CP employees only, it would seem.

Best,

Andy

Re: Clish quirk with SNMP config

Bob_Zimmerman — Wed, 31 Jan 2024 15:32:56 GMT

Then that is a terrible design on multiple levels.

"set snmp agent-version any" and "set snmp agent-version v3-Only" should not be able to coexist in the config. If you're going to use the string "v3-Only", then it should mean v3 ONLY. This is clearly a bug in either how clish works or in the naming of the config option.
If you're going to allow v2 config to remain when the agent version is set to both any and v3-Only, you should allow it to be removed when the agent version is set to v3-Only. This is clearly a bug in the validation of whether commands affecting v2 can be entered. The user should always be able to remove configuration items without changing unrelated items.
If there's v2 configuration, trying to set agent-version to v3-Only should at least generate a warning. I'd argue it should simply reject the input in the same way you can't delete a bond before you remove all of its members (deleting a bond could clearly be interpreted as removing all of its members from it, but clish doesn't work that way).

Re: Clish quirk with SNMP config

the_rock — Wed, 31 Jan 2024 15:35:46 GMT

Those are definitely valid points @Bob_Zimmerman