- Posts: 3
- Thank you received: 0
FW-1 and SNMP Question
20 years 5 months ago #4315
by swirl
FW-1 and SNMP Question was created by swirl
We are using Firewall-1, Version 4.1 between two networks with Solaris nodes on them. Control over these nodes is accomplished using HP Openview and it's Network Node Manager. We are tightening vulnerabilities where we can and my question is about the SNMP community name. Can anyone tell me what changes have to be done on the Firewall-1 node to change from the default string of public?
20 years 5 months ago #4322
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: FW-1 and SNMP Question
The Bishop is propably one of the most experienced users here at Firewall.cx, I'm sure he'll jump onto this question and nail it home!
Cheers,
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
20 years 5 months ago #4326
by TheBishop
Spookily, I'm trying to get SNMP working properly too!
Go into the Policy Editor and open up the policy that's currently running on your firewall. In the browser on the left hand side, find the Workstation entry that represents the firewall itself. Double-click that and you'll bring up the edit dialogue. If you click on Advanced in the tree window you will get a page that allows you to change the SMNP details including community strings. Once you've done that, save the policy and install it onto the firewall. Remeber that your firewall rules must also allow your SNMP and SNMP trap traffic to pass through the firewall to their destination. And also check the setup of SNMP on the machine that the firewall is running on. Make sure your community string etc is also correct there
Go into the Policy Editor and open up the policy that's currently running on your firewall. In the browser on the left hand side, find the Workstation entry that represents the firewall itself. Double-click that and you'll bring up the edit dialogue. If you click on Advanced in the tree window you will get a page that allows you to change the SMNP details including community strings. Once you've done that, save the policy and install it onto the firewall. Remeber that your firewall rules must also allow your SNMP and SNMP trap traffic to pass through the firewall to their destination. And also check the setup of SNMP on the machine that the firewall is running on. Make sure your community string etc is also correct there
20 years 5 months ago #4330
by swirl
Thanks!
OK, now I've updated the policy using the editor and I see it updated the objects.C file in the conf directory of the FW-1 software. The traffic rules are already in place and working so that part is OK. Can you perhaps help with the last step in your answer? I see that the policy editor describes the software as SNMPv3 agent from SNMP Research, which is what we have on the non-FW nodes. On those other nodes, I updated the /opt/snmp15.1.0.3/srconf/agt/snmpd.cnf file with the new community strings. I can't find a comparable file on the FW-1 node. Do you know where its daemon /opt/CPfw1-41/bin/snmpd gets it's config?
Thanks Much!
Shirl
OK, now I've updated the policy using the editor and I see it updated the objects.C file in the conf directory of the FW-1 software. The traffic rules are already in place and working so that part is OK. Can you perhaps help with the last step in your answer? I see that the policy editor describes the software as SNMPv3 agent from SNMP Research, which is what we have on the non-FW nodes. On those other nodes, I updated the /opt/snmp15.1.0.3/srconf/agt/snmpd.cnf file with the new community strings. I can't find a comparable file on the FW-1 node. Do you know where its daemon /opt/CPfw1-41/bin/snmpd gets it's config?
Thanks Much!
Shirl
20 years 5 months ago #4350
by TheBishop
According to the manual the SNMP extension is configured from the cpconfig program, so run that and have a look. I'm afraid I'm not a unix guru :oops: , but if that doesn't help then post a reply and I'm sure one of our other contributors will come to your aid. I've had a look on my firewall and there doesn't seem to be an snmp daemon running at all. Very strange.
20 years 5 months ago #4375
by swirl
Replied by swirl on topic Re: FW-1 and SNMP Question
The cpconfig command yields the following:
security:/opt/CPfw1-41/conf>cpconfig
Welcome to Check Point Configuration Program
=================================
This program will let you re-configure
your VPN-1 & FireWall-1 configuration.
Configuration Options:
(1) Licenses
(2) Administrators
(3) GUI clients
(4) Remote Modules
(5) External Interface
(6) SMTP Server
(7) SNMP Extension
(8 Groups
(9) IP Forwarding
(10) Default Filter
(11) Exit
Enter your choice (1-11) :7
Configuring SNMP Extension...
=============================
The SNMP daemon enables VPN-1 & FireWall-1 module
to export its status to external network management tools.
Would you like to disable VPN-1 & FireWall-1 SNMP daemon ? (y/n) [n] ? n
While our internal installation procedures clearly document that we install using the "n" option so that the SNMP daemon is not disabled, I know of no instance where we "export the FW-1 module status". So, short of scheduling lab time and just trying it, I'm going to assume that either A: we don't need the community name configured correctly on the FW-1 node. -or- B: configuring it will be easy and the snmpd daemon must get it's startup info from the objects.C file updated using the policy editor.
I will let you know if and when I actually get direction from management to try it.
Thanks again!
Shirl
security:/opt/CPfw1-41/conf>cpconfig
Welcome to Check Point Configuration Program
=================================
This program will let you re-configure
your VPN-1 & FireWall-1 configuration.
Configuration Options:
(1) Licenses
(2) Administrators
(3) GUI clients
(4) Remote Modules
(5) External Interface
(6) SMTP Server
(7) SNMP Extension
(8 Groups
(9) IP Forwarding
(10) Default Filter
(11) Exit
Enter your choice (1-11) :7
Configuring SNMP Extension...
=============================
The SNMP daemon enables VPN-1 & FireWall-1 module
to export its status to external network management tools.
Would you like to disable VPN-1 & FireWall-1 SNMP daemon ? (y/n) [n] ? n
While our internal installation procedures clearly document that we install using the "n" option so that the SNMP daemon is not disabled, I know of no instance where we "export the FW-1 module status". So, short of scheduling lab time and just trying it, I'm going to assume that either A: we don't need the community name configured correctly on the FW-1 node. -or- B: configuring it will be easy and the snmpd daemon must get it's startup info from the objects.C file updated using the policy editor.
I will let you know if and when I actually get direction from management to try it.
Thanks again!
Shirl
Time to create page: 0.141 seconds