This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SWBW_Florian
Contributor
‎2025-05-26 12:36 AM

SNMP -v:3 on CP gateway

hey there

i tried to monitor our VPN connections through SNMP and have some troubles doing that

for testing purposes i use the "Peassler SNMP Tester 5.2.1". I already tried powershell/cmd as well.

we have a cluster, one mgmt and 2 nodes. I created the user on both gateways and added the fw rules to reach them

i then downloaded the paessler snmp tester and implemented all data for the SNMPv3 test

i rechecked username,password and key multiple times and can confirm that they are definitively correct

i got auth fail issues, though

26.05.2025 09:29:15 (115 ms) : Value: Authentication failure (incorrect password, community or key) -35

 

What could be wrong here?

thanks in advance

regards
0 Kudos
7 Replies
genisis__
Mentor Mentor
Mentor
‎2025-05-26 01:31 AM

Can you paste your SNMPv3 config please (exclude password).
Also have you confirm SNMPv2 works first, I generally like to test SNMPv2 if v3 has issue.  Also the only thing I've seen is if the NMS supports only SHA-1 but the Checkpoint GW (when its a new build) supports only SHA2 without a workaround.

0 Kudos
SWBW_Florian
Contributor
‎2025-05-26 02:42 AM
In response to genisis__

at gaia its configured as you can see it in the attachment

 

 

 

 

regards
Preview file
15 KB
0 Kudos
genisis__
Mentor Mentor
Mentor
‎2025-05-26 02:57 AM
In response to SWBW_Florian

Does the NMS support SHA256?  I this is where I've generally found to be a problem.  There is away to set the gateway to use SHA-1, if you want to try this.

0 Kudos
SWBW_Florian
Contributor
‎2025-05-26 03:03 AM
In response to genisis__

i just would try to switch to sha1. How to do that?

regards
0 Kudos
genisis__
Mentor Mentor
Mentor
‎2025-05-26 05:26 AM
In response to SWBW_Florian

I agree, I don't like the fact CP remove the ability to use SHA-1 for SNMP when you do a new build, as I think that decision should for the customer and there security policy to decide.
Do you know how to get SHA-1 available again?  If not let me know.

0 Kudos
genisis__
Mentor Mentor
Mentor
‎2025-05-26 09:33 AM
In response to SWBW_Florian

This is what I've done based on information from the community.  Please note, that this is not supported by Checkpoint and I take no responsibility if there is an issue.

I know on the devices I've managed it works. I've used this on  R81.x.  I see no reason why it would not work on R82.x

clish:
add snmp usm user SNMPUser security-level authPriv auth-pass-phrase <Password> privacy-pass-phrase <Password> privacy-protocol AES authentication-protocol SHA256

expert:
dbset snmp:v3:user:SNMPUser:auth:proto .1.3.6.1.6.3.10.1.1.3

clish:
set snmp usm user SNMPUser vsid all (Only needed if you are using VSX)
show snmp usm user SNMPUser (Should report SHA-1)

Need to ensure you reset the password at this final stage
set snmp usm user SNMPUser security-level authPriv auth-pass-phrase <Password> privacy-pass-phrase <Password>
save config

Note:
If you upgrade or apply a jumbo, you may have to redo this.

joerivang
Contributor
‎2025-05-26 09:48 AM
In response to genisis__

This is also how we do it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events