Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Taner
Contributor

Monitor VPN Tunnel Using SNMP V3

Hello,

do you have any solution for Zabbix 4.0.9 and GAIA Checkpoint R80.30? We want to monitor VPN tunnels and our focus is under these two templates:
checkpoint-vpn-1-3.4
snmp-v3-checkpoint-monitoring

Template 1:
https://share.zabbix.com/network_devices/cat-checkpoint/checkpoint-vpn-1-3.4
But we have to load MIBs manually:
"You will need the CHECKPOINT-MIB loaded onto the Zabbix server: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut..."

Template 2:
And the next template is:
https://share.zabbix.com/network_devices/cat-checkpoint/snmp-v3-checkpoint-monitoring

But our 4.0.9 is not compatible with this template.


Do you have instructions for:
https://share.zabbix.com/network_devices/cat-checkpoint/checkpoint-vpn-1-3.4

Or guide how to load Check Point MIB files to Zabbix?

Thank you in advance.

Best Regards.

0 Kudos
24 Replies
PhoneBoy
Admin
Admin

@John_Fleming might know.
However it’s a probably a question for the relevant Zabbix forum.
The MIB files are located in $FWDIR/lib/snmp on the gateways/management. 
Also why is this posted in the SMB space?

John_Fleming
Advisor

FYI - The checkpoint mibs are kind of limited and doesn't take into account how tunnel management is handled. Your best option to have true visibility is to make sure VPN tunnel is set to 1 tunnel per peer. Once you have this you can truely show VPN is up or down per peer.

The details are there isn't a way to say "between these two peers is there a vpn up from this subnet/host to this subnet/host up?". You could get into a place where part of the VPN is working and part of it isn't but zabbix would see it as working. With one vpn per peer you know its always up or down and zabbix (really snmp) will show the correct info.

I haven't used those templates. We just looked up the VPN mibs and added them to zabbix.

Taner
Contributor

"I haven't used those templates. We just looked up the VPN mibs and added them to zabbix."

Hello, John Fleming thank you for your answer.

Could you tell me how to import Mib files to Zabbix?


0 Kudos

There is a version signature in CHECKPOINT-MIB:

checkpoint MODULE-IDENTITY
LAST-UPDATED "201312261309Z"
ORGANIZATION "Check Point"
CONTACT-INFO "Check Point"
DESCRIPTION "Check Point MIB
See the most common OIDs, with detailed descriptions, in the SNMP Best Practices Guide - sk98552
(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)"
REVISION "201312261309Z"
DESCRIPTION "Update the SMIv1 MIB to SMIv2"
::= { enterprises 2620 }

I can't remember which one I am using on our Zabbix server but I can check later on. 

@Taner You need to copy MIB file to  /usr/local/share/snmp/mibs/ and specify this path in snmp config:

# cat /etc/snmp/snmp.conf
# As the snmp packages come without MIB files due to license reasons, loading
# of MIBs is disabled by default. If you added the MIBs you can reenable
# loading them by commenting out the following line.
#mibs :
mibdirs +/usr/local/share/snmp/mibs

And of course make sure snmpd is running.

Search for CP_SNMP_BestPracticesGuide.pdf on CheckPoint site. It is really helpful. Page 24 is what you are looking for.

Taner
Contributor

Thank you Hristo Grigorov.

I will check.

0 Kudos
Taner
Contributor

Hello Hristo Grigorov,

But we are talking about SNMP V3 MIBS.

I will appreciate it a lot if it's possible to check exactly which files to where should be copied.

0 Kudos

What has MIB file to do with SNMP protocol version ? All you need to copy is CHECKPOINT-MIB and eventually CHECKPOINT-MIB-TRAP.

Taner
Contributor

Hello Hristo Grigorov,

In my Zabbix it's different.

I don't have this config file:
 /etc/snmp/snmp.conf 

I find:
/usr/share/snmp/mibs

And I find:
/etc/snmp/snmpd.conf

Is it possible my snmp version does not support SNMP v3?

The OS is CentOS Linux release 7.6.1810 (Core)








0 Kudos

Yeah, you may drop MIB file in that location and don't forget to restart snmpd after that. I don't like to mess with OS default folders hence why I put mine in local one. Anyway, it is best to check CentOS docs on how to properly configure SNMP daemon. Can't help with this, Debian here.

0 Kudos
Taner
Contributor

Which mib files I should use from the Check Point Web site for GAIA Checkpoint R80.30 ?
(Check Point Products chkpnt.mib)(Check Point Traps chkpnt-trap.min)(Gaia OS Traps is this the right file? GaiaTrapsMIB.mib)

0 Kudos
Taner
Contributor

net-snmp-config --version
5.7.2

net-snmp-config --snmpconfpath
/etc/snmp:/usr/share/snmp:/usr/lib64/snmp:/root/.snmp:/var/lib/net-snmp

0 Kudos
John_Fleming
Advisor

chkpnt.mib, but add them all. 

chkpnt.mib <- this is for polling. NMS Asking your firewall fire stuff.

chkpnt-trap.mib / GaiaTrapsMIB.mib <- these are for Trap, Firewall telling your NMS something just happened without being asked.

0 Kudos
Taner
Contributor

For checking VPN tunnels which is the right MIB file?

And the most important question, how I can load the new MIB file in the SNMP daemon?
Now I read this:

http://net-snmp.sourceforge.net/wiki/index.php/TUT:Using_and_loading_MIBS

But:

# Access Control
################################################## #############################
mibs +GaiaTrapsMIB.txt

/etc/snmp/snmpd.conf: line 18: Warning: Unknown token: mibs.

Where I am wrong?

The OS is CentOS Linux release 7.6.1810 (Core)

net-snmp-config --version
5.7.2

net-snmp-config --snmpconfpath
/etc/snmp:/usr/share/snmp:/usr/lib64/snmp:/root/.snmp:/var/lib/net-snmp


0 Kudos
Taner
Contributor

John_Fleming do you know the right syntax to check snmpwalk v3?
snmpwalk -v3 -l authPriv -u USERNAME -a MD5 -A PASSWORD -x AES -X PASSWORD GW2_HostName_or_IP_Address OID
I received these credentials:
Security Level - authPriv
User Permissions - read-only
Authentication protocol - MD5
Privacy Protocol - AES
Authentication passphrase and Privacy passphrase
If the Check Point IP address is 192.168.1.100?
I don't have username for the Check Point device.

0 Kudos
PhoneBoy
Admin
Admin

You would need to configure an snmp username/password on the appliance in question.
That's a requirement for SNMPv3.

John_Fleming
Advisor

v2 and v3 use the same mibs. v3 just adds stronger authentication to snmp. 

John_Fleming
Advisor

yeah it depends on how net-snmp is installed and snmp.conf is setup and containers bla bla bla. 

This is pretty close to ours. Ours is installed in container so in our case its in the dir we mapped to the volume but that happens to be /usr/share/mibs/ in the container. 

Taner
Contributor

John_Fleming you are right.

How I can easily check which version is my SNMP?

0 Kudos
Taner
Contributor

Hello PhoneBoy,

Thank you for your fast response.

The MIB files from the local device and from the website of the Check Point what is the difference?

I posted the topic here because I did see another topic but for SNMP V2 in this section.
 
Hello John_Fleming  could you share your experience regarding the topic?



0 Kudos
John_Fleming
Advisor

Honestly, someone from checkpoint would need to explain. My guess is the mib file on the gateway is the mib file based on release date where as the mib file on the website could in theory be more up to date. 

They should basically be the same, but I would pull the gateway one and the website one and diff them to see whats different. I don't recall there being any version info in the mib files in either place but I could be wrong.

Taner
Contributor

Hello John, do you have time to show me how to load Mib files in the Zabbix server?

0 Kudos
PhoneBoy
Admin
Admin

Unless the gateways involved are SMB, it’s probably more of a Management question 🙂

The SNMP files in SK and the ones on the gateway are likely the same.
Don’t believe we’ve changed the MIBs in quite some time.

Taner
Contributor

PhoneBoy I am on the two fronts between Check Point Community and Zabbix, if I can find and MIB creator I want to send him to the prison, why this task is soooo complicated to load the MIB files in the SNMP Daemon, I want to find and Cent OS community to wash them with cold water 😄

0 Kudos