Solved

snmp monitoring of Checkpoint firewall

Posted on 2014-10-28
10
408 Views
Last Modified: 2014-10-30
I have enabled SNMP on my checkpoint 4400 firewall running R77.10.  

However, I am not sure how to create a rule on the firewall to allow SNMP traffic to flow between my monitoring server (10.1.1.20) and the internal interface of the firewall (10.1.1.16).  I am new to Checkpoints so am a little lost.

SNMP-Rule.PNG
All of the documentation I have found online states that this needs to be done, but provides no instruction on how to do it.

Please help.
0
Comment
Question by:mtkaiser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 40410092
You need to allow from IP to IP and only SNMP
0
 
LVL 12

Accepted Solution

by:
Fidelius earned 250 total points
ID: 40410257
Your rule is OK. If you set up SNMP correctly, it should work.
You can clean up rule a little bit and leave only snmp and snmp-trap.

If you want more strict rule make it like this:
CP monitoring rule
And put the rule as high as possible, as it will be hit pretty often.
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 250 total points
ID: 40410370
No - snmp requests come from SNMP server and checkpoint keeps state to get responses back to SNMP server.
Then check logs (from one host to other host, looking for smart blocking errors, if yes, change rule to IP:any->CP:161 all UDP))

SNMP traps can notify monitoring system (if it includes SNMP trap handling), thats out of scope for first attempt. It will need a new rule in other direction 162/UDP, with same hand-patting to make it work.
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 
LVL 12

Expert Comment

by:Fidelius
ID: 40410441
Yes, I agree.
But if you put rule the way I wrote it, you will at the same time allow snmp queries from server to CheckPoint, and CheckPoint sending traps to server.
This rule can be separated in two rules, but if you put it like this, it is more clearer and easier to manage.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40410447
But why to let unused protocols through?
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 40410469
As I said, it is more clearer and easier to manage. Also it takes less resources on firewall upon compiling rules
If you want strict and very high level of security you can write two separate rules
- one allowing server to CP only at udp/161
- other allowing CP to server only for udp/162

At the end it is balance between security and manageability.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40410477
In other words sacrificing of security on altar of laziness ;)
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 40410492
It depends :)
Sometimes going to more restricted policies on inside network leads to more problems, especially if you have lots of rules, and lots of systems to manage. But this is totally different subject from one in question ;)
0
 
LVL 62

Expert Comment

by:gheist
ID: 40410509
My point is to check for conflicts with inspection engine at the very beginning to keep it running problem-free after.
0
 

Author Closing Comment

by:mtkaiser
ID: 40413709
Thanks guys!!
0

Featured Post

Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will step through configuring a SonicWALL appliance to utilize an internal DHCP server for Global VPN Client (GVC) hosts.  There are times when using an external (external to the SonicWALL) DHCP server, such as Windows Servers, isn’t pr…
When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question