This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MR_K
Participant
‎2022-01-20 07:28 AM

SNMP Query Timeout / IPS of Gateway Up to Date Monitoring

Hi Checkmates,

I am struggling with an SNMP query of an SNMP extension, that is delivering an empty response, even though the script itself runs fine when run locally.

The customer wants us to make sure, that the IPS Version running on the gateway is up to date by monitoring it via our Nagios Monitoring Tool. I wrote a bash script to check this which follows this logic (full script attached):

- Use API to check if IPS is up to date on SMS

- if no use API to update it then check again; if still not up to date --> end with error

- use g_bash (see https://community.checkpoint.com/t5/Scripts/GAIA-Easy-execute-CLI-commands-from-management-on-gatewa...) to query the gateways for the currently installed IPS version & compare with Management version

- if Version is the same --> end with success

- if Version is not the same --> end with error (future development: do a policy install on all devices not up to date)

The SNMP extension has been configured as described in sk90860 IV 6.

 

When run locally on the SMS the scripts runs through without an issue and fulfills it's task as it should and the result is displayed within 20-30 seconds.

When querying the SNMP extension via SNMP (independent of Nagios system or via "snmpwalk localhost" the output is String: ""

I tried reducing the amount of code in the script to pinpoint the error and found the issue, that once the script takes longer than one or two seconds, debug output (echo "testX") starts to not appear fully (only the first 4 instead of all 5 echos). When increasing the timeout of the snmpwalk via -t I do get the full response. Adding more lines back in, same issue. The necessary timeout for 3/4 of the scripts is -t 2000, which according to the help page is 2000 seconds; still the full output appears within 15 seconds. Since the maximum timeout I can give as an argument to snmpwalk is 2148 (go any higher and he says illegal option) I do not recieve the output of the script anymore once I run through the whole code.

 

My two questions:
- Does someone already have a better solution to check/monitor if the IPS version ON THE GATEWAY is up to date?

- Does someone know if there is an Checkpoint internal timeout for SNMP querys and my script is taking too long for this?

 

Thanks!

Preview file
3 KB
0 Kudos
2 Replies
Timothy_Hall
Champion
Champion
‎2022-01-21 07:05 AM

You can't query the state of IPS via SNMP directly on the gateway, as the needed OIDs do not exist in the MIB there.  I ran into this when putting my 2021 IPS/AV/ABOT video series together, the relevant page is below.  You are going to be stuck remotely running a command on the gateway such as ips stat or cpstat -f ips blades or fw stat -b AMW and parsing the output. 

One interesting (and secure) way to do this is via SIC from the SMS as described here: sk101047 - How to manage Security Gateway using the "cprid_util" tool

ips_snmp.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
MR_K
Participant
‎2022-01-24 01:37 AM
In response to Timothy_Hall

Thanks for the input @Timothy_Hall,
but that is what I am doing already, g_bash from @HeikoAnkenbrand is utilizing cprid_util.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events