This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
constant69
Contributor
a month ago
Jump to solution

In a cluster environment, is it possible to make the snmp daemon listen on a VIP ?

Hello,

I have a Check Point cluster running R81.20.
This cluster establishes IPSec tunnels with several peers.

I would like to monitor the status of the different tunnels via the active member.

I just noticed that the SNMP daemon is not listening on the VIP.
Is it possible to make this SNMP daemon listen on a VIP?

Here are the details:
On my cluster, SNMP is listening on the interfaces below.

xxxxx> show snmp interfaces

Enabled SNMP Agent Interfaces are

eth5

eth9

xxxxx>

 

Here is the real IP address associated with eth5 as well as the VIP.

[Expert@xxxxx:0]# ifconfig eth5

eth5        Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx

 inet addr:10.1.0.254  Bcast:10.1.0.255  Mask:255.255.255.0

 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

 RX packets:3450678212 errors:0 dropped:3132 overruns:0 frame:0

 TX packets:3172616142 errors:0 dropped:0 overruns:0 carrier:0

 collisions:0 txqueuelen:1000

 RX bytes:2039943960807 (1.8 TiB)  TX bytes:1476745060960 (1.3 TiB)

 Interrupt:44

[Expert@xxxxx:0]# cphaprob -a if | grep eth5

eth5                 UP

eth5            10.1.0.252       VMAC address: xx:xx:xx:xx:xx:xx

 

An snmpwalk on the real IP associated with eth5 works.

[Expert@xxxxx:0]# snmpwalk -v 2c -c XXXXXX 10.1.0.254 .1.3.6.1.4.1.2620.500.9002.1.3.A.B.C.D.0

SNMPv2-SMI::enterprises.2620.500.9002.1.3.A.B.C.D.0 = Gauge32: 3

 

An snmpwalk on the VIP associated with eth5 does not work.

[Expert@xxxxx:0]# snmpwalk -v 2c -c XXXXXX -RO 10.1.0.252 .1.3.6.1.4.1.2620.500.9002.1.3.A.B.C.D.0

Timeout: No Response from 10.1.0.252

 

The netstat command below shows that the SNMP daemon is listening on the real IPs of interfaces eth5 and eth9.

[Expert@xxxxx:0]# netstat -anop | grep :161

udp        0      0 10.1.0.254:161              0.0.0.0:*                               13462/snmpd         off (0.00/0/0)

udp        0      0 10.2.3.252:161              0.0.0.0:*                               13462/snmpd         off (0.00/0/0)

 

Thank you in advance for your help.

Regards

Labels
0 Kudos
2 Solutions

Accepted Solutions
the_rock
MVP Platinum
MVP Platinum
a month ago
Jump to solution

I dont believe that can be configured for VIP, as far as snmp is concerned. I would try set this up for both members, so regardless which one is master at any given time, it would always give the info for both members.

Best,
Andy

View solution in original post

Duane_Toler
MVP Silver
MVP Silver
a month ago
Jump to solution

No, because SNMP is a per-host operation.  It is designed to monitor the status of things on the host.  You can use SNMP to monitor operations of each cluster member as well as the Check Point processes (enable this in "cpconfig", option 2, and restart the services).  If you were to monitor as the VIP only, then you would not be getting status of the standby cluster member, which you still need.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

View solution in original post

0 Kudos
5 Replies
the_rock
MVP Platinum
MVP Platinum
a month ago
Jump to solution

I dont believe that can be configured for VIP, as far as snmp is concerned. I would try set this up for both members, so regardless which one is master at any given time, it would always give the info for both members.

Best,
Andy
JozkoMrkvicka
Authority
Authority
a month ago
Jump to solution

What is your idea to monitoring VPN over SNMP ?

Kind regards,
Jozko Mrkvicka
0 Kudos
constant69
Contributor
a month ago
In response to JozkoMrkvicka
Jump to solution

Hello,

The customer has many sensitive IPSEC VPN tunnels with partners, and the idea here is to monitor via SNMP the status of these tunnels using the OID .1.3.6.1.4.1.2620.500.9002.1.3.A.B.C.D.0, where A.B.C.D represents the IP address of a peer.

Regards

Duane_Toler
MVP Silver
MVP Silver
a month ago
Jump to solution

No, because SNMP is a per-host operation.  It is designed to monitor the status of things on the host.  You can use SNMP to monitor operations of each cluster member as well as the Check Point processes (enable this in "cpconfig", option 2, and restart the services).  If you were to monitor as the VIP only, then you would not be getting status of the standby cluster member, which you still need.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
the_rock
MVP Platinum
MVP Platinum
a month ago
In response to Duane_Toler
Jump to solution

Thats exactly what I thought as well, thanks for confirming!

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events