This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2023-10-30 05:12 PM

No response traffic for SNMP

Hello,

Could someone tell me, which is the process in charge of "SNMP" traffic?

I want to try to "restart" only this process from the CLI of my SMS, since we currently have configured the SNMPv2 in the SMS, but no "traffic" is arriving to our monitoring manager which is a Zabbix.

Apparently all the configuration is fine, but no traffic is reaching the Manager.
Someone knows what commands can help me, for the following:

1- Validate if the SMS is listening to traffic on port 161 (For SNMP Querys).
2- Validate if the SMS is really sending "traffic" to my Zabbix on port 162.
3- Restart from the CLI the SNMP process, to avoid restarting the SMS.

Thanks. 🙂

0 Kudos
10 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-10-30 06:39 PM

You can attempt local snmpwalk / snmpget commands from the CLI in expert mode and work from there.

 

Refer also:

sk98552: Best Practices - SNMP
sk90860: How to configure SNMP on Gaia OS

CCSM R77/R80/ELITE
the_rock
MVP Platinum
MVP Platinum
‎2023-10-30 06:51 PM

The process is snmpd. You can simply run ps -auxw | grep snmpd and check whether its running or not.  To check if traffic is listening on that port, simply run tcpdump -enni any (or whatever interface it is) port 162

So say its interface eth3, then you can run tcpdump -enni eth3 port 162 or fw monitor -e "accept port(162);"

Regards,

Andy

Best,
Andy
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-10-30 08:27 PM
In response to the_rock

I get this result when I run the command you shared with me.

Can it be interpreted that port 161 is working?

Is there a way to "restart" only the SNMPD process?

SNMPD1.png

Thank you.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-10-30 08:30 PM
In response to Matlu

kill -9 2353(or whatever pid is)

then just type snmp or snmpd

Andy

Best,
Andy
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-10-30 08:51 PM
In response to the_rock

I am going to try it.

The problem with the "fw monitor...." is that being an SMS, well the command doesn't "grab", and TCPDUMP just doesn't "show" anything

[Expert@SMS:0]# tcpdump -enni eth0 port 162
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

I have the impression that the problem comes from the snmp "process", and that is why we intend to restart only the process but without restarting the SMS completely.

0 Kudos
Phtephen
Explorer
‎2023-10-30 11:59 PM

1. netstat will show if listening on all IP interfaces which is the default

Expert@FW01:0]# netstat -tulpn | grep snmp
tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN 740/snmpd 
udp 0 0 0.0.0.0:161 0.0.0.0:* 740/snmpd

2. tcpdump on the listening interface should show packets if they are arriving

[Expert@OFW01:0]# tcpdump -i eth0 port 161
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:57:17.695909 IP 172.16.10.10.59013 > FW01.snmp: F=r U="" E= C="" GetRequest(14)

3. clish commands "set snmp agent off" and "set snmp agent on"

you can see snmp is no longer running when i set agent off and running after set agent on

[Expert@FW01:0]# clish -c "set snmp agent off"
[Expert@FW01:0]# ps ax | grep snmp
726 pts/1 S+ 0:00 grep --color=auto snmp

[Expert@FW01:0]# clish -c "set snmp agent on"
[Expert@FW01:0]# ps ax | grep snmp
740 ? Ssl 0:00 /usr/sbin/snmpd -f -c /etc/snmp/userDefinedSettings.conf
756 pts/1 S+ 0:00 grep --color=auto snmp

 these were all taken from an R81.20 standalone fw+mgmt

0 Kudos
_Val_
Admin
Admin
‎2023-10-31 12:42 AM
In response to Phtephen

Does your policy allow SNMP connections?

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-10-31 03:45 PM
In response to Phtephen

Hello,

I have tried to restart the snmp service, with "set snmp agent off | on" but I have not been able to "reestablish" the service. I have a security rule, which allows traffic, as follows

SRC: SMS

DST: Zabbix

Services: 161/162

Action: Accept

What comes to mind is the "blessed reboot" hehe Since we want to avoid restarting SMS completely, we would like to only restart the SNMP service. As I understand, I can do this with the fw kill - 9 PID", but I would like to know how I obtain the SNMP PID

Greetings

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-10-31 05:35 PM
In response to Matlu

This rule logic is incorrect if you are expecting Zabbix to actively poll the SMS via SNMP as different (or in addition to) to receiving SNMP traps.

CCSM R77/R80/ELITE
0 Kudos
Phtephen
Explorer
‎2023-10-31 09:26 PM
In response to Matlu

@Matlu wrote:

As I understand, I can do this with the fw kill - 9 PID", but I would like to know how I obtain the SNMP PID

 

PID is the first column number in the ps ax | grep snmp command

You could also run top, shift+L, type snmp, enter to search. It will highlight the snmp daemon, again first column is PID. 

also, as mentioned, your rule looks incorrect for Zabbix to poll the SMS. SMS should be destination. 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events