This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
George_Ellis
Advisor
‎2025-03-18 09:26 AM

Test via snmpwalk or cli if IPS Bypass is set to track via SNMP alert

The reason:  Auditors

I am trying to figure out how to batch test on gateways that have IPS installed if Bypass is set to track to SNMP alerts.  (see attachment).  I have walked through the Check Point mibs and tried to see if any of the IPS cli commands expose it.  No joy.  I could have missed it.

We use Backbox, so anything I can do at the CLI, I can execute.  I can also snmpwalk the device.  But still trying to figure out what to test against.

Any clues CM crew?

 

Does not give what you need, but the test is:

ips bypass stat

Test for "Disabled", "Enabled", "IPS Blade is disabled"

 
 

 

Preview file
162 KB
0 Kudos
11 Replies
Lesley
Authority Authority
Authority
‎2025-03-18 12:59 PM

Screenshot here shows the SNMP MIB for IPS. I would assume if the IPS goes into bypass one of those values will change.

Would give this a go, load the system up with traffic to force a bypass and see if this changes the value. If so you can use that one.

https://community.checkpoint.com/t5/Threat-Prevention/SNMP-MIBS-for-IPS-Blade/m-p/89845#M2723

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
George_Ellis
Advisor
‎2025-03-19 09:40 AM
In response to Lesley

Unfortunately, it is not in that section.

0 Kudos
Lesley
Authority Authority
Authority
‎2025-03-19 11:19 AM
In response to George_Ellis

Have you tested it? Could be that one of the values below changes if bypass under load is active:

-- ips statuses
	
	ipsStatus OBJECT-TYPE
			SYNTAX  DisplayString
			MAX-ACCESS read-only
			STATUS  current
			DESCRIPTION
				  "ips status (Running/Stopped)"
			::= { ips 1 }
	
	ipsUpdateStatusInfo OBJECT IDENTIFIER ::= { ips 11 }
	
	ipsUpdateStatus OBJECT-TYPE
			SYNTAX  DisplayString
			MAX-ACCESS read-only
			STATUS  current
			DESCRIPTION
				  "ips update status"
			::= { ipsUpdateStatusInfo 1 }
	
	ipsUpdateDescription OBJECT-TYPE
			SYNTAX  DisplayString
			MAX-ACCESS read-only
			STATUS  current
			DESCRIPTION
				  "IPS update description"
			::= { ipsUpdateStatusInfo 2 }
	
	ipsNextUpdateDescription OBJECT-TYPE
			SYNTAX  DisplayString
			MAX-ACCESS read-only
			STATUS  current
			DESCRIPTION
				  "IPS next update description"
			::= { ipsUpdateStatusInfo 3 }
	
	ipsDBVersion OBJECT-TYPE
			SYNTAX  DisplayString
			MAX-ACCESS read-only
			STATUS  current
			DESCRIPTION
				  "IPS DB version"
			::= { ipsUpdateStatusInfo 4 }

	ipsState OBJECT-TYPE
			SYNTAX  Unsigned32
			MAX-ACCESS read-only
			STATUS  current
			DESCRIPTION
				  "ips state (0 - ok, 1 - warning, 2 - problem)"
			::= { ips 101 }
	
	ipsStateShortDesc OBJECT-TYPE
			SYNTAX  DisplayString
			MAX-ACCESS read-only
			STATUS  current
			DESCRIPTION
				  "IPS short state description"
			::= { ips 102 }
	
	ipsStateLongDesc OBJECT-TYPE
			SYNTAX  DisplayString
			MAX-ACCESS read-only
			STATUS  current
			DESCRIPTION
				  "IPS long state description"
			::= { ips 103 }

 

SNMP traps for IPS are not there, also not for R82. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
George_Ellis
Advisor
‎2025-03-19 11:47 AM
In response to Lesley

Yes I did.

But since you asked.
SNMPv2-SMI::enterprises.2620.1.53.1.0 = STRING: "Running"
SNMPv2-SMI::enterprises.2620.1.53.11.1.0 = STRING: "up-to-date"
SNMPv2-SMI::enterprises.2620.1.53.11.2.0 = STRING: "Gateway was updated with database version: 635251720"
SNMPv2-SMI::enterprises.2620.1.53.11.3.0 = STRING: "The next update will be run as scheduled."
SNMPv2-SMI::enterprises.2620.1.53.11.4.0 = STRING: "635251720"
SNMPv2-SMI::enterprises.2620.1.53.101.0 = Gauge32: 0
SNMPv2-SMI::enterprises.2620.1.53.102.0 = STRING: "IPS is ok"
SNMPv2-SMI::enterprises.2620.1.53.103.0 = STRING: "IPS is running ok"

And anticipating the next question
IPS Bypass Under Load: Enabled
Currently under load: No
Currently in bypass: No
CPU Usage thresholds: Low: 70, High: 90
Memory Usage thresholds: Low: 70, High: 90


IPS Status: Enabled
Active Profiles:
<redacted>

IPS Update Version: 635251720
Global Detect: Off
Bypass Under Load: On

 

0 Kudos
Lesley
Authority Authority
Authority
‎2025-03-19 12:05 PM
In response to George_Ellis

Any difference in SNMP output if the following is in bypass?

Currently under load: Yes
Currently in bypass: Yes

If above is yes, you still read the same SNMP values?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
George_Ellis
Advisor
‎2025-03-20 04:34 AM
In response to Lesley

But there is nothing to check to see if Bypass Tracking is set to "SNMP Trap Alert".  There are other options like "log", but I need to verify the setting for a Trap Alert.  Then it will show on our Logic Monitor dashboard (in theory, have not seen it yet.)  But, for audit and compliance, I need to see if the Bypass is set to send a trap when it trips.
Folks that are in the PCI-DSS cloud will understand.  That is why I always review the latest PCI-DSS standards documents.  Auditors tend to be the shiny new kids.  Sometimes it is your job to keep them in their lane.

0 Kudos
Lesley
Authority Authority
Authority
‎2025-03-20 07:46 AM
In response to George_Ellis

If you ''Log'' the bypass maybe SmartEvent can see this and you can assign a custom trigger to it. Few days ago I configured that if SmartEvent see's to many invalid passwords for the same user the source get's blocked by the firewall. I think you could build something in SmartEvent. But then of course you need to force the bypass to see how the log entry looks like. Same goes if you go the SNMP way, if you don't know what it will send it is difficult to put in a monitoring tool 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
PhoneBoy
Admin
Admin
‎2025-03-19 07:18 AM

What does ips bypass stat actually give you?

0 Kudos
George_Ellis
Advisor
‎2025-03-19 11:51 AM
In response to PhoneBoy

IPS Bypass Under Load: Enabled
Currently under load: No
Currently in bypass: No
CPU Usage thresholds: Low: 70, High: 90
Memory Usage thresholds: Low: 70, High: 90

Edit - and that is from the box that has the SNMP tracking enabled.

And since it was asked previously (Diamond before they understood the issue)
authorizationError
coldStart
fanFailure
highVoltage
linkUpLinkDown
lowDiskSpace
lowDiskSpaceAllPartitions
lowVoltage
overTemperature
powerSupplyFailure
vrrpv2AuthFailure
vrrpv2NewMaster
vrrpv3NewMaster
vrrpv3ProtoError

0 Kudos
PhoneBoy
Admin
Admin
‎2025-03-19 01:11 PM
In response to George_Ellis

I suspect the only way to do this via SNMP is via a custom OID similar to:
https://support.checkpoint.com/results/sk/sk121723 

0 Kudos
George_Ellis
Advisor
‎2025-03-20 04:28 AM
In response to PhoneBoy

Once I figure out what to test against.  I will probably just do it as a compliance check and potential remediation.  But since I can't seem to test/verify at the CLI, kind of stuck.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events