This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Firewall_Head
Explorer
‎2024-12-29 08:46 AM

SNMP integration with Check Point using WAN IP | VPN in use

Dear Checkmates,

R81.10 Gateway

I have two sites A and B which is connected by IPsec VPN, in site B I have my SNMP application with a private IP. I wanted to monitor my Check Point firewall in site A with it's WAN IP which is used for VPN tunnel. 

I tried doing it but failed multiple times.

1> Checked for packet captures >> negative

2> Checked for kernel debugs >>negative

Can anyone help me on this please, I can't exclude snmp service under vpn because it's a weak version that we are using.

+PFA for your reference.

 

=======

WR,

FH

 
 
 

 

 

Preview file
39 KB
0 Kudos
5 Replies
AkosBakos
MVP Silver
MVP Silver
‎2024-12-29 09:39 AM

Hi @Firewall_Head 

Have you tried exclude the SNMP from the Tunnel? 

2024-12-29 18_37_03-Cloud Demo Server [ID_784674684]-R81.20-SmartConsole.png

But this is not the safest setup, but I think you know it.

 

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2024-12-29 10:17 AM

UPDATE: you wrote, you can't exclude it. ACK 🙂

What if you set the SNMP config for an IP which is in the ENC_DOM and reachable from site. Create a small VLAN with /29 prefix, and it is avaialable on the GW _only_  (no connection to the intranet) The routing will direct the traffic to that IF -> it should work, but not a beautiful solution.

----------------
\m/_(>_<)_\m/
0 Kudos
Firewall_Head
Explorer
‎2024-12-29 10:40 AM
In response to AkosBakos

Hi @AkosBakos ,

Thanks for your quick update.

Can you please explain it, do you mean to create a Vlan on the gateway and add that ip in the encryption domain of the vpn??

Use that ip for snmp monitoring ?

====

WR,

FH

0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2024-12-29 11:07 AM
In response to Firewall_Head

 

Hi,

This is only an idea, unfortunately I can't test is yet. Please be cautious.

This is a simple interface modificationm and a VPN Domain extension

 So I would create an IF which exists only on the GW (you need to discuss with the network team for the availabe IPs and VLANs)

2024-12-29 19_55_20-Cloud Demo Server [ID_784674684]-R81.20-SmartConsole.png

You will query the GE on this interface (in this case 192.168.99.1)

Then and it to the ENC_ DOM (VPN Domain)

2024-12-29 20_00_01-Meshed Community.png

You need to add it both sides.

Create the neccesary Access Rules.

When the packet arrives to the GW, because the newly created LAN is a connected LAN, the route will direct to that interface (192.168.99.1) the trafic.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
PhoneBoy
Admin
Admin
‎2024-12-30 05:13 PM

The WAN IP is automatically included in the encryption domain, which means the traffic will likely be encrypted.
fw monitor should show you if the traffic is being encrypted/decrypted correctly or not. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events