This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MR_K
Participant
‎2022-01-20 07:28 AM

SNMP Query Timeout / IPS of Gateway Up to Date Monitoring

Hi Checkmates,

I am struggling with an SNMP query of an SNMP extension, that is delivering an empty response, even though the script itself runs fine when run locally.

The customer wants us to make sure, that the IPS Version running on the gateway is up to date by monitoring it via our Nagios Monitoring Tool. I wrote a bash script to check this which follows this logic (full script attached):

- Use API to check if IPS is up to date on SMS

- if no use API to update it then check again; if still not up to date --> end with error

- use g_bash (see https://community.checkpoint.com/t5/Scripts/GAIA-Easy-execute-CLI-commands-from-management-on-gatewa...) to query the gateways for the currently installed IPS version & compare with Management version

- if Version is the same --> end with success

- if Version is not the same --> end with error (future development: do a policy install on all devices not up to date)

The SNMP extension has been configured as described in sk90860 IV 6.

 

When run locally on the SMS the scripts runs through without an issue and fulfills it's task as it should and the result is displayed within 20-30 seconds.

When querying the SNMP extension via SNMP (independent of Nagios system or via "snmpwalk localhost" the output is String: ""

I tried reducing the amount of code in the script to pinpoint the error and found the issue, that once the script takes longer than one or two seconds, debug output (echo "testX") starts to not appear fully (only the first 4 instead of all 5 echos). When increasing the timeout of the snmpwalk via -t I do get the full response. Adding more lines back in, same issue. The necessary timeout for 3/4 of the scripts is -t 2000, which according to the help page is 2000 seconds; still the full output appears within 15 seconds. Since the maximum timeout I can give as an argument to snmpwalk is 2148 (go any higher and he says illegal option) I do not recieve the output of the script anymore once I run through the whole code.

 

My two questions:
- Does someone already have a better solution to check/monitor if the IPS version ON THE GATEWAY is up to date?

- Does someone know if there is an Checkpoint internal timeout for SNMP querys and my script is taking too long for this?

 

Thanks!

Preview file
3 KB
0 Kudos
2 Replies
This widget could not be displayed.