Solved: Clish quirk with SNMP config

Bob_Zimmerman · ‎2024-01-09

While trying to make my firewalls' configurations more consistent, I noticed something weird. Here it is reproduced on one of my personal boxes:

[Expert@DallasSA]# clish -c "show configuration" | grep snmp
set snmp agent-version any
set snmp community public read-only 
set snmp agent-version v3-Only
...

[Expert@DallasSA]# clish
DallasSA> delete snmp community public
NMSSNM0075  SNMP v3-Only does not support community string.
DallasSA> set snmp agent-version any
DallasSA> delete snmp community public
DallasSA> set snmp agent-version v3-only
DallasSA> save config
DallasSA> exit

[Expert@DallasSA]# clish -c "show configuration" | grep snmp
set snmp agent-version v3-Only
...

[Expert@DallasSA]# fw ver
This is Check Point's software version R81.10 - Build 055

[Expert@DallasSA]# cpinfo -y fw1 | grep Take

This is Check Point CPinfo Build 914000239 for GAIA
	HOTFIX_R81_10_JUMBO_HF_MAIN	Take:  129

It's possible for the clish config to have both "set snmp agent-version any" and "set snmp agent-version v3-Only" in it at the same time. When these lines are both present in the config, you have to enter "set snmp agent-version any" again in order to interact with the v2 community causing the "agent-version any" line to stick around. Once you have deleted it, you can switch to v3-Only and the "agent-version any" line actually goes away.

Seems like at least two minor bugs in clish.

nitzanef · ‎2024-01-31

This is by design, not a bug.
This behavior is to save the configuration when switching to version any (v1/v2/v3) or when implementing the configuration on different machine (see PMTR-68517)

Nitzan

View solution in original post

nitzanef · ‎2024-01-31

This is by design, not a bug.
This behavior is to save the configuration when switching to version any (v1/v2/v3) or when implementing the configuration on different machine (see PMTR-68517)

Nitzan

the_rock · ‎2024-01-31

Btw, customers cant see that PMTR, thats internal to CP employees only, it would seem.

Best,

Andy

Bob_Zimmerman · ‎2024-01-31

Then that is a terrible design on multiple levels.

"set snmp agent-version any" and "set snmp agent-version v3-Only" should not be able to coexist in the config. If you're going to use the string "v3-Only", then it should mean v3 ONLY. This is clearly a bug in either how clish works or in the naming of the config option.
If you're going to allow v2 config to remain when the agent version is set to both any and v3-Only, you should allow it to be removed when the agent version is set to v3-Only. This is clearly a bug in the validation of whether commands affecting v2 can be entered. The user should always be able to remove configuration items without changing unrelated items.
If there's v2 configuration, trying to set agent-version to v3-Only should at least generate a warning. I'd argue it should simply reject the input in the same way you can't delete a bond before you remove all of its members (deleting a bond could clearly be interpreted as removing all of its members from it, but clish doesn't work that way).

the_rock · ‎2024-01-31

Those are definitely valid points @Bob_Zimmerman

the_rock · ‎2024-01-31

I get same thing on R81.20 jumbo 41

Andy

Are you a member of CheckMates?

Clish quirk with SNMP config