- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
Hi Checkmates,
I am struggling with an SNMP query of an SNMP extension, that is delivering an empty response, even though the script itself runs fine when run locally.
The customer wants us to make sure, that the IPS Version running on the gateway is up to date by monitoring it via our Nagios Monitoring Tool. I wrote a bash script to check this which follows this logic (full script attached):
- Use API to check if IPS is up to date on SMS
- if no use API to update it then check again; if still not up to date --> end with error
- use g_bash (see https://community.checkpoint.com/t5/Scripts/GAIA-Easy-execute-CLI-commands-from-management-on-gatewa...) to query the gateways for the currently installed IPS version & compare with Management version
- if Version is the same --> end with success
- if Version is not the same --> end with error (future development: do a policy install on all devices not up to date)
The SNMP extension has been configured as described in sk90860 IV 6.
When run locally on the SMS the scripts runs through without an issue and fulfills it's task as it should and the result is displayed within 20-30 seconds.
When querying the SNMP extension via SNMP (independent of Nagios system or via "snmpwalk localhost" the output is String: ""
I tried reducing the amount of code in the script to pinpoint the error and found the issue, that once the script takes longer than one or two seconds, debug output (echo "testX") starts to not appear fully (only the first 4 instead of all 5 echos). When increasing the timeout of the snmpwalk via -t I do get the full response. Adding more lines back in, same issue. The necessary timeout for 3/4 of the scripts is -t 2000, which according to the help page is 2000 seconds; still the full output appears within 15 seconds. Since the maximum timeout I can give as an argument to snmpwalk is 2148 (go any higher and he says illegal option) I do not recieve the output of the script anymore once I run through the whole code.
My two questions:
- Does someone already have a better solution to check/monitor if the IPS version ON THE GATEWAY is up to date?
- Does someone know if there is an Checkpoint internal timeout for SNMP querys and my script is taking too long for this?
Thanks!
You can't query the state of IPS via SNMP directly on the gateway, as the needed OIDs do not exist in the MIB there. I ran into this when putting my 2021 IPS/AV/ABOT video series together, the relevant page is below. You are going to be stuck remotely running a command on the gateway such as ips stat or cpstat -f ips blades or fw stat -b AMW and parsing the output.
One interesting (and secure) way to do this is via SIC from the SMS as described here: sk101047 - How to manage Security Gateway using the "cprid_util" tool
Thanks for the input @Timothy_Hall,
but that is what I am doing already, g_bash from @HeikoAnkenbrand is utilizing cprid_util.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY