Monitoring Checkpoint Firewalls with SNMP

I've been doing some work for a client with Checkpoint Firewalls (running Secure Platform, or SPLAT), and wanted to monitor them using SNMP. The two main reasons being;

1. To graph Accepted/Dropped/Rejected packets over time and

2. To Poll the Firewalls for status using 3rd Party Management Tools like "Whats Up Gold" and "BMC Patrol".

The information I found in Checkpoint SecureKnowledge was terribly confusing, contradictory and misleading (has lots of info about Nokia IPSO Firewalls which doesn't work when using the SPLAT OS).

So a brief summary of what I had to do to get it to work correctly:
1. Enable SNMPD

chkconfig snmpd on

service snmpd start

2. Edit /etc/snmp/snmpd.conf
Add "rocommunity NotPublicCommunityString 192.168.0.1"

Add "proxy -v1 -c public 127.0.0.1:260 .1.3.6.1.4.1.2620"

3. Edit $FWDIR/conf/snmp.C

Add :snmp_community (
:read (“public”)
:write(“private”)
)

4. Run cpconfig, and enable the cpsnmpd extension

5. Add required security rule to permit access to the firewall from the management server(s) (SNMP-UDP/161) (You don't need to permit access to cpsnmpd-UDP/260)

Following these changes you should be able to do a 'netstat -an' and see the cpsnmpd listening on :260, and perform a local snmp check:

snmpwalk -v1 -c public localhost 1.3.6.1.4.1.2620.1.6

Gotchas to note:

1. The local snmpwalk above uses the "public" string - the one in snmp.C - NOT the one in snmpd.conf

2. snmpwalk from a remote host uses the "NotPublicCommunityString" - not "public"

3. snmpwalk locally (and maybe remotely) using just the OID 1.3.6.1.4.1.2620 causes the cpsnmpd process to die (need to restart it using '$CPDIR/bin/cpsnmpd -p 260' or cpstop, cpstart)

Once the above are done the management servers can query the enforcement module for Checkpoint SNMP OIDs, such as accepted packets, dropped packets and Checkpoint OS OIDs like CPU usage (accurate), memory usage etc. These queries go to the Firewall on UDP/161 and internally the snmpd process proxies the snmp request for OID .1.3.6.1.4.1.2620 (checkpoint) to the cpsnmpd process on UDP/260.

This happens by default in Nokia IPSO, but not on SecurePlatform.

Some good OIDs to Graph:

Active Real Memory .1.3.6.1.4.1.2620.1.6.7.4.4.0
Total Real Memory .1.3.6.1.4.1.2620.1.6.7.4.3.0
Packets accepted .1.3.6.1.4.1.2620.1.1.4.0
Packets dropped .1.3.6.1.4.1.2620.1.1.6.0
Packets rejected .1.3.6.1.4.1.2620.1.1.5.0
Packets logged .1.3.6.1.4.1.2620.1.1.7.0
Current connections .1.3.6.1.4.1.2620.1.1.25.3.0
Processor (System) .1.3.6.1.4.1.2620.1.6.7.2.2.0
Processor (User) .1.3.6.1.4.1.2620.1.6.7.2.1.0

And good OIDs to monitor for status:
Firewall Module State (Installed) .1.3.6.1.4.1.2620.1.1.1.0
Processor Usage .1.3.6.1.4.1.2620.1.6.7.2.4.0

Useful Links:

Cacti - An excellent (+free) web front end to MRTG/RRD-Tool

Cacti Templates Index - Although the supplied Checkpoint/Nokia ones didnt work for me without customisation. I created some more graphs and data sources using the above OIDs.

What's Up Gold - The new version is very nice. Excellent Web based multi-user UI.