FYI - The checkpoint mibs are kind of limited and doesn't take into account how tunnel management is handled. Your best option to have true visibility is to make sure VPN tunnel is set to 1 tunnel per peer. Once you have this you can truely show VPN is up or down per peer.

The details are there isn't a way to say "between these two peers is there a vpn up from this subnet/host to this subnet/host up?". You could get into a place where part of the VPN is working and part of it isn't but zabbix would see it as working. With one vpn per peer you know its always up or down and zabbix (really snmp) will show the correct info.

I haven't used those templates. We just looked up the VPN mibs and added them to zabbix.

"I haven't used those templates. We just looked up the VPN mibs and added them to zabbix."

Hello, John Fleming thank you for your answer.

Could you tell me how to import Mib files to Zabbix?

There is a version signature in CHECKPOINT-MIB:

checkpoint MODULE-IDENTITY
LAST-UPDATED "201312261309Z"
ORGANIZATION "Check Point"
CONTACT-INFO "Check Point"
DESCRIPTION "Check Point MIB
See the most common OIDs, with detailed descriptions, in the SNMP Best Practices Guide - sk98552
(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)"
REVISION "201312261309Z"
DESCRIPTION "Update the SMIv1 MIB to SMIv2"
::= { enterprises 2620 }

I can't remember which one I am using on our Zabbix server but I can check later on. 

@Taner You need to copy MIB file to  /usr/local/share/snmp/mibs/ and specify this path in snmp config:

# cat /etc/snmp/snmp.conf
# As the snmp packages come without MIB files due to license reasons, loading
# of MIBs is disabled by default. If you added the MIBs you can reenable
# loading them by commenting out the following line.
#mibs :
mibdirs +/usr/local/share/snmp/mibs

And of course make sure snmpd is running.

Search for CP_SNMP_BestPracticesGuide.pdf on CheckPoint site. It is really helpful. Page 24 is what you are looking for.

Thank you Hristo Grigorov.

I will check.

Hello Hristo Grigorov,

But we are talking about SNMP V3 MIBS.

I will appreciate it a lot if it's possible to check exactly which files to where should be copied.

What has MIB file to do with SNMP protocol version ? All you need to copy is CHECKPOINT-MIB and eventually CHECKPOINT-MIB-TRAP.

Hello Hristo Grigorov,

In my Zabbix it's different.

I don't have this config file:
 /etc/snmp/snmp.conf 

I find:
/usr/share/snmp/mibs

And I find:
/etc/snmp/snmpd.conf

Is it possible my snmp version does not support SNMP v3?

The OS is CentOS Linux release 7.6.1810 (Core)

Yeah, you may drop MIB file in that location and don't forget to restart snmpd after that. I don't like to mess with OS default folders hence why I put mine in local one. Anyway, it is best to check CentOS docs on how to properly configure SNMP daemon. Can't help with this, Debian here.

Which mib files I should use from the Check Point Web site for GAIA Checkpoint R80.30 ?
(Check Point Products chkpnt.mib)(Check Point Traps chkpnt-trap.min)(Gaia OS Traps is this the right file? GaiaTrapsMIB.mib)

net-snmp-config --version
5.7.2

net-snmp-config --snmpconfpath
/etc/snmp:/usr/share/snmp:/usr/lib64/snmp:/root/.snmp:/var/lib/net-snmp

chkpnt.mib, but add them all. 

chkpnt.mib <- this is for polling. NMS Asking your firewall fire stuff.

chkpnt-trap.mib / GaiaTrapsMIB.mib <- these are for Trap, Firewall telling your NMS something just happened without being asked.

For checking VPN tunnels which is the right MIB file?

And the most important question, how I can load the new MIB file in the SNMP daemon?
Now I read this:

http://net-snmp.sourceforge.net/wiki/index.php/TUT:Using_and_loading_MIBS

But:

# Access Control
################################################## #############################
mibs +GaiaTrapsMIB.txt

/etc/snmp/snmpd.conf: line 18: Warning: Unknown token: mibs.

Where I am wrong?

The OS is CentOS Linux release 7.6.1810 (Core)

net-snmp-config --version
5.7.2

net-snmp-config --snmpconfpath
/etc/snmp:/usr/share/snmp:/usr/lib64/snmp:/root/.snmp:/var/lib/net-snmp

John_Fleming do you know the right syntax to check snmpwalk v3?
snmpwalk -v3 -l authPriv -u USERNAME -a MD5 -A PASSWORD -x AES -X PASSWORD GW2_HostName_or_IP_Address OID
I received these credentials:
Security Level - authPriv
User Permissions - read-only
Authentication protocol - MD5
Privacy Protocol - AES
Authentication passphrase and Privacy passphrase
If the Check Point IP address is 192.168.1.100?
I don't have username for the Check Point device.

You would need to configure an snmp username/password on the appliance in question.
That's a requirement for SNMPv3.

v2 and v3 use the same mibs. v3 just adds stronger authentication to snmp. 

yeah it depends on how net-snmp is installed and snmp.conf is setup and containers bla bla bla. 

This is pretty close to ours. Ours is installed in container so in our case its in the dir we mapped to the volume but that happens to be /usr/share/mibs/ in the container. 

John_Fleming you are right.

How I can easily check which version is my SNMP?

Hello PhoneBoy,

Thank you for your fast response.

The MIB files from the local device and from the website of the Check Point what is the difference?

I posted the topic here because I did see another topic but for SNMP V2 in this section.
 
Hello John_Fleming  could you share your experience regarding the topic?

Honestly, someone from checkpoint would need to explain. My guess is the mib file on the gateway is the mib file based on release date where as the mib file on the website could in theory be more up to date. 

They should basically be the same, but I would pull the gateway one and the website one and diff them to see whats different. I don't recall there being any version info in the mib files in either place but I could be wrong.

Hello John, do you have time to show me how to load Mib files in the Zabbix server?

Unless the gateways involved are SMB, it’s probably more of a Management question 🙂

The SNMP files in SK and the ones on the gateway are likely the same.
Don’t believe we’ve changed the MIBs in quite some time.

PhoneBoy I am on the two fronts between Check Point Community and Zabbix, if I can find and MIB creator I want to send him to the prison, why this task is soooo complicated to load the MIB files in the SNMP Daemon, I want to find and Cent OS community to wash them with cold water 😄