This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bob_Zimmerman
MVP Gold
MVP Gold
‎2024-01-09 02:36 PM
Jump to solution

Clish quirk with SNMP config

While trying to make my firewalls' configurations more consistent, I noticed something weird. Here it is reproduced on one of my personal boxes:

 

[Expert@DallasSA]# clish -c "show configuration" | grep snmp
set snmp agent-version any
set snmp community public read-only 
set snmp agent-version v3-Only
...

[Expert@DallasSA]# clish
DallasSA> delete snmp community public
NMSSNM0075  SNMP v3-Only does not support community string.
DallasSA> set snmp agent-version any
DallasSA> delete snmp community public
DallasSA> set snmp agent-version v3-only
DallasSA> save config
DallasSA> exit

[Expert@DallasSA]# clish -c "show configuration" | grep snmp
set snmp agent-version v3-Only
...

[Expert@DallasSA]# fw ver
This is Check Point's software version R81.10 - Build 055

[Expert@DallasSA]# cpinfo -y fw1 | grep Take

This is Check Point CPinfo Build 914000239 for GAIA
	HOTFIX_R81_10_JUMBO_HF_MAIN	Take:  129

 

It's possible for the clish config to have both "set snmp agent-version any" and "set snmp agent-version v3-Only" in it at the same time. When these lines are both present in the config, you have to enter "set snmp agent-version any" again in order to interact with the v2 community causing the "agent-version any" line to stick around. Once you have deleted it, you can switch to v3-Only and the "agent-version any" line actually goes away.

Seems like at least two minor bugs in clish.

0 Kudos
1 Solution

Accepted Solutions
nitzanef
Employee
Employee
‎2024-01-31 06:28 AM
Jump to solution

This is by design, not a bug.
This behavior is to save the configuration when switching to version any (v1/v2/v3) or when implementing the configuration on different machine (see PMTR-68517)

 

Nitzan

View solution in original post

5 Replies
nitzanef
Employee
Employee
‎2024-01-31 06:28 AM
Jump to solution

This is by design, not a bug.
This behavior is to save the configuration when switching to version any (v1/v2/v3) or when implementing the configuration on different machine (see PMTR-68517)

 

Nitzan

the_rock
MVP Platinum
MVP Platinum
‎2024-01-31 06:50 AM
In response to nitzanef
Jump to solution

Btw, customers cant see that PMTR, thats internal to CP employees only, it would seem.

Best,

Andy

Best,
Andy
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2024-01-31 07:32 AM
In response to nitzanef
Jump to solution

Then that is a terrible design on multiple levels.

  • "set snmp agent-version any" and "set snmp agent-version v3-Only" should not be able to coexist in the config. If you're going to use the string "v3-Only", then it should mean v3 ONLY. This is clearly a bug in either how clish works or in the naming of the config option.
  • If you're going to allow v2 config to remain when the agent version is set to both any and v3-Only, you should allow it to be removed when the agent version is set to v3-Only. This is clearly a bug in the validation of whether commands affecting v2 can be entered. The user should always be able to remove configuration items without changing unrelated items.
  • If there's v2 configuration, trying to set agent-version to v3-Only should at least generate a warning. I'd argue it should simply reject the input in the same way you can't delete a bond before you remove all of its members (deleting a bond could clearly be interpreted as removing all of its members from it, but clish doesn't work that way).
the_rock
MVP Platinum
MVP Platinum
‎2024-01-31 07:35 AM
In response to Bob_Zimmerman
Jump to solution

Those are definitely valid points @Bob_Zimmerman 

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-01-31 06:49 AM
Jump to solution

I get same thing on R81.20 jumbo 41

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events