Solved

snmp monitoring of Checkpoint firewall

Posted on 2014-10-28
10
356 Views
Last Modified: 2014-10-30
I have enabled SNMP on my checkpoint 4400 firewall running R77.10.  

However, I am not sure how to create a rule on the firewall to allow SNMP traffic to flow between my monitoring server (10.1.1.20) and the internal interface of the firewall (10.1.1.16).  I am new to Checkpoints so am a little lost.

SNMP-Rule.PNG
All of the documentation I have found online states that this needs to be done, but provides no instruction on how to do it.

Please help.
0
Comment
Question by:mtkaiser
  • 5
  • 4
10 Comments
 
LVL 61

Expert Comment

by:gheist
Comment Utility
You need to allow from IP to IP and only SNMP
0
 
LVL 12

Accepted Solution

by:
Fidelius earned 250 total points
Comment Utility
Your rule is OK. If you set up SNMP correctly, it should work.
You can clean up rule a little bit and leave only snmp and snmp-trap.

If you want more strict rule make it like this:
CP monitoring rule
And put the rule as high as possible, as it will be hit pretty often.
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 250 total points
Comment Utility
No - snmp requests come from SNMP server and checkpoint keeps state to get responses back to SNMP server.
Then check logs (from one host to other host, looking for smart blocking errors, if yes, change rule to IP:any->CP:161 all UDP))

SNMP traps can notify monitoring system (if it includes SNMP trap handling), thats out of scope for first attempt. It will need a new rule in other direction 162/UDP, with same hand-patting to make it work.
0
 
LVL 12

Expert Comment

by:Fidelius
Comment Utility
Yes, I agree.
But if you put rule the way I wrote it, you will at the same time allow snmp queries from server to CheckPoint, and CheckPoint sending traps to server.
This rule can be separated in two rules, but if you put it like this, it is more clearer and easier to manage.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
But why to let unused protocols through?
0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 
LVL 12

Expert Comment

by:Fidelius
Comment Utility
As I said, it is more clearer and easier to manage. Also it takes less resources on firewall upon compiling rules
If you want strict and very high level of security you can write two separate rules
- one allowing server to CP only at udp/161
- other allowing CP to server only for udp/162

At the end it is balance between security and manageability.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
In other words sacrificing of security on altar of laziness ;)
0
 
LVL 12

Expert Comment

by:Fidelius
Comment Utility
It depends :)
Sometimes going to more restricted policies on inside network leads to more problems, especially if you have lots of rules, and lots of systems to manage. But this is totally different subject from one in question ;)
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
My point is to check for conflicts with inspection engine at the very beginning to keep it running problem-free after.
0
 

Author Closing Comment

by:mtkaiser
Comment Utility
Thanks guys!!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now