Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SWBW_Florian
Contributor

SNMP -v:3 on CP gateway

hey there

i tried to monitor our VPN connections through SNMP and have some troubles doing that

for testing purposes i use the "Peassler SNMP Tester 5.2.1". I already tried powershell/cmd as well.

we have a cluster, one mgmt and 2 nodes. I created the user on both gateways and added the fw rules to reach them

i then downloaded the paessler snmp tester and implemented all data for the SNMPv3 test

i rechecked username,password and key multiple times and can confirm that they are definitively correct

i got auth fail issues, though

26.05.2025 09:29:15 (115 ms) : Value: Authentication failure (incorrect password, community or key) -35

 

What could be wrong here?

thanks in advance

regards
0 Kudos
7 Replies
genisis__
Mentor Mentor
Mentor

Can you paste your SNMPv3 config please (exclude password).
Also have you confirm SNMPv2 works first, I generally like to test SNMPv2 if v3 has issue.  Also the only thing I've seen is if the NMS supports only SHA-1 but the Checkpoint GW (when its a new build) supports only SHA2 without a workaround.

0 Kudos
SWBW_Florian
Contributor

at gaia its configured as you can see it in the attachment

 

 

 

 

regards
0 Kudos
genisis__
Mentor Mentor
Mentor

Does the NMS support SHA256?  I this is where I've generally found to be a problem.  There is away to set the gateway to use SHA-1, if you want to try this.

0 Kudos
SWBW_Florian
Contributor

i just would try to switch to sha1. How to do that?

regards
0 Kudos
genisis__
Mentor Mentor
Mentor

I agree, I don't like the fact CP remove the ability to use SHA-1 for SNMP when you do a new build, as I think that decision should for the customer and there security policy to decide.
Do you know how to get SHA-1 available again?  If not let me know.

0 Kudos
genisis__
Mentor Mentor
Mentor

This is what I've done based on information from the community.  Please note, that this is not supported by Checkpoint and I take no responsibility if there is an issue.

I know on the devices I've managed it works. I've used this on  R81.x.  I see no reason why it would not work on R82.x

clish:
add snmp usm user SNMPUser security-level authPriv auth-pass-phrase <Password> privacy-pass-phrase <Password> privacy-protocol AES authentication-protocol SHA256

expert:
dbset snmp:v3:user:SNMPUser:auth:proto .1.3.6.1.6.3.10.1.1.3

clish:
set snmp usm user SNMPUser vsid all (Only needed if you are using VSX)
show snmp usm user SNMPUser (Should report SHA-1)

Need to ensure you reset the password at this final stage
set snmp usm user SNMPUser security-level authPriv auth-pass-phrase <Password> privacy-pass-phrase <Password>
save config

Note:
If you upgrade or apply a jumbo, you may have to redo this.

joerivang
Contributor

This is also how we do it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events