This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ma_gorkhali
Contributor
3 weeks ago

Checkpoint with Thousandeyes

Anyone integrated thousandeyes with Checkpoint? Looks like there is some incompatibility between SNMP cipher? 

9 Replies
the_rock
Legend
Legend
3 weeks ago

I found a post from last year where Phoneboy indicated he was not aware of any known issues. I checked Thousandeyes documentation, could not find anything specific either.

Do you have any link or statement about this?

Andy

0 Kudos
ma_gorkhali
Contributor
3 weeks ago
In response to the_rock

@the_rock these are the options that Thousandeyes support for SNMPV3 and I have tried all the options and while capturing packet from checkpoint I can see packets coming through and also moving from i > I . 

 

hmac-checkpoint.PNG

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to ma_gorkhali

So none of them work? 😞

0 Kudos
ma_gorkhali
Contributor
3 weeks ago
In response to the_rock

Sadly noone of them worked.

 

I was wondering if I could find some expert here who has deployed thousandeyes with checkpoint.

 

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to ma_gorkhali

K, lets wait and see if someone might have an idea.

0 Kudos
Bob_Zimmerman
Authority
Authority
3 weeks ago

As of R81.20, Check Point only supports usmHMAC192SHA256AuthProtocol and usmHMAC384SHA512AuthProtocol for authentication (RFC 7860), and DES (RFC 3414), AES-128 (RFC 3826), or AES-256 (non-standard) for privacy. It definitely works with Thousandeyes. I would go with usmHMAC384SHA512AuthProtocol and AES-128.

ma_gorkhali
Contributor
2 weeks ago
In response to Bob_Zimmerman

There is no AES-128 option in Checkpoint and I am using privacy-protocol AES256 authentication-protocol SHA512

 

hmac-checpoint.PNG

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to ma_gorkhali

I would verify with TAC on this.

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority
2 weeks ago
In response to ma_gorkhali

@ma_gorkhali wrote:

There is no AES-128 option in Checkpoint and I am using privacy-protocol AES256 authentication-protocol SHA512

There absolutely is an AES-128 option, they just leave off the key length (128 bits is the only RFC-compliant AES key length):

[Expert@MyManagement]# fwm ver
This is Check Point Security Management Server R81.20 - Build 017
[Expert@MyManagement]# cpinfo -y fw1

This is Check Point CPinfo Build 914000250 for GAIA
[FW1]
	HOTFIX_INEXT_NANO_EGG_AUTOUPDATE
	HOTFIX_R81_20_JUMBO_HF_MAIN	Take:  92
	HOTFIX_WEBCONSOLE_AUTOUPDATE
	HOTFIX_GOT_MGMT_AUTOUPDATE
	HOTFIX_NGM_DOCTOR_AUTOUPDATE
	HOTFIX_VCE_R81_20_AUTOUPDATE
	HOTFIX_GOT_TPCONF_MGMT_AUTOUPDATE
	HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE

FW1 build number:
This is Check Point Security Management Server R81.20 - Build 017
This is Check Point's software version R81.20 - Build 043

[Expert@MyManagement]# clish
MyManagement> add snmp usm user NewUser security-level authPriv auth-pass-phrase vpn123 privacy-pass-phrase vpn123 privacy-protocol 

DES     AES     AES256
MyManagement> add snmp usm user NewUser security-level authPriv auth-pass-phrase vpn123 privacy-pass-phrase vpn123 privacy-protocol AES authentication-protocol 

SHA256  SHA512
MyManagement> add snmp usm user NewUser security-level authPriv auth-pass-phrase vpn123 privacy-pass-phrase vpn123 privacy-protocol AES authentication-protocol SHA
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top