This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
MR_K
Participant
‎2022-01-20 07:28 AM

SNMP Query Timeout / IPS of Gateway Up to Date Monitoring

Hi Checkmates,

I am struggling with an SNMP query of an SNMP extension, that is delivering an empty response, even though the script itself runs fine when run locally.

The customer wants us to make sure, that the IPS Version running on the gateway is up to date by monitoring it via our Nagios Monitoring Tool. I wrote a bash script to check this which follows this logic (full script attached):

- Use API to check if IPS is up to date on SMS

- if no use API to update it then check again; if still not up to date --> end with error

- use g_bash (see https://community.checkpoint.com/t5/Scripts/GAIA-Easy-execute-CLI-commands-from-management-on-gatewa...) to query the gateways for the currently installed IPS version & compare with Management version

- if Version is the same --> end with success

- if Version is not the same --> end with error (future development: do a policy install on all devices not up to date)

The SNMP extension has been configured as described in sk90860 IV 6.

 

When run locally on the SMS the scripts runs through without an issue and fulfills it's task as it should and the result is displayed within 20-30 seconds.

When querying the SNMP extension via SNMP (independent of Nagios system or via "snmpwalk localhost" the output is String: ""

I tried reducing the amount of code in the script to pinpoint the error and found the issue, that once the script takes longer than one or two seconds, debug output (echo "testX") starts to not appear fully (only the first 4 instead of all 5 echos). When increasing the timeout of the snmpwalk via -t I do get the full response. Adding more lines back in, same issue. The necessary timeout for 3/4 of the scripts is -t 2000, which according to the help page is 2000 seconds; still the full output appears within 15 seconds. Since the maximum timeout I can give as an argument to snmpwalk is 2148 (go any higher and he says illegal option) I do not recieve the output of the script anymore once I run through the whole code.

 

My two questions:
- Does someone already have a better solution to check/monitor if the IPS version ON THE GATEWAY is up to date?

- Does someone know if there is an Checkpoint internal timeout for SNMP querys and my script is taking too long for this?

 

Thanks!

Preview file
3 KB
0 Kudos
2 Replies
Timothy_Hall
Champion
Champion
‎2022-01-21 07:05 AM

You can't query the state of IPS via SNMP directly on the gateway, as the needed OIDs do not exist in the MIB there.  I ran into this when putting my 2021 IPS/AV/ABOT video series together, the relevant page is below.  You are going to be stuck remotely running a command on the gateway such as ips stat or cpstat -f ips blades or fw stat -b AMW and parsing the output. 

One interesting (and secure) way to do this is via SIC from the SMS as described here: sk101047 - How to manage Security Gateway using the "cprid_util" tool

ips_snmp.png

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
MR_K
Participant
‎2022-01-24 01:37 AM
In response to Timothy_Hall

Thanks for the input @Timothy_Hall,
but that is what I am doing already, g_bash from @HeikoAnkenbrand is utilizing cprid_util.

0 Kudos