snmp monitoring of Checkpoint firewall

I have enabled SNMP on my checkpoint 4400 firewall running R77.10.  

However, I am not sure how to create a rule on the firewall to allow SNMP traffic to flow between my monitoring server (10.1.1.20) and the internal interface of the firewall (10.1.1.16).  I am new to Checkpoints so am a little lost.

SNMP-Rule.PNG
All of the documentation I have found online states that this needs to be done, but provides no instruction on how to do it.

Please help.
mtkaiserAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
You need to allow from IP to IP and only SNMP
0
FideliusCommented:
Your rule is OK. If you set up SNMP correctly, it should work.
You can clean up rule a little bit and leave only snmp and snmp-trap.

If you want more strict rule make it like this:
CP monitoring rule
And put the rule as high as possible, as it will be hit pretty often.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gheistCommented:
No - snmp requests come from SNMP server and checkpoint keeps state to get responses back to SNMP server.
Then check logs (from one host to other host, looking for smart blocking errors, if yes, change rule to IP:any->CP:161 all UDP))

SNMP traps can notify monitoring system (if it includes SNMP trap handling), thats out of scope for first attempt. It will need a new rule in other direction 162/UDP, with same hand-patting to make it work.
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

FideliusCommented:
Yes, I agree.
But if you put rule the way I wrote it, you will at the same time allow snmp queries from server to CheckPoint, and CheckPoint sending traps to server.
This rule can be separated in two rules, but if you put it like this, it is more clearer and easier to manage.
0
gheistCommented:
But why to let unused protocols through?
0
FideliusCommented:
As I said, it is more clearer and easier to manage. Also it takes less resources on firewall upon compiling rules
If you want strict and very high level of security you can write two separate rules
- one allowing server to CP only at udp/161
- other allowing CP to server only for udp/162

At the end it is balance between security and manageability.
0
gheistCommented:
In other words sacrificing of security on altar of laziness ;)
0
FideliusCommented:
It depends :)
Sometimes going to more restricted policies on inside network leads to more problems, especially if you have lots of rules, and lots of systems to manage. But this is totally different subject from one in question ;)
0
gheistCommented:
My point is to check for conflicts with inspection engine at the very beginning to keep it running problem-free after.
0
mtkaiserAuthor Commented:
Thanks guys!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.