Enabling SNMP v3 Part 2: Checkpoint R75 (Gaia & Splat) (AES and SHA Configuration) - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, May 6, 2014

Enabling SNMP v3 Part 2: Checkpoint R75 (Gaia & Splat) (AES and SHA Configuration)

This post is second part of SNMPv3 configuration. First part is in this post for Cisco devices.

During setting up SNMPv3 on checkpoint appliance, there are some steps and notes found useful. I put them together for future reference.

1.  SNMP General Settings:

2. V3 - user-based Security Model (USM)

Authentication is using MD5
Privacy is using DES.
If you want to change SHA or AES, you have to use command line to add SNMP V3 user. All steps have been listed at Step 4.

 3. Enabled Traps

 4. Trap Receivers Settings

For command lines, here is a good post for it on pingtool.org. Some configuration are copied here :

set snmp agent on
set snmp contact "[email protected]"
set snmp location "Middle of nowhere"
add snmp address
set snmp agent-version v3-Only
add snmp usm user snmpv3user security-level authPriv auth-pass-phrase 111222333 privacy-pass-phrase 555666777

Notes: By Default, at WebGUI, Checkpoint SNMPv3 only support MD5 and DES for Authentication typle and Privacy Type. Make sure when setting up SNMP manager server, you choose MD5 and DES.

CP> show snmp 
addresses     - snmp agent address
agent         - snmp daemon
agent-version - snmp version
community     - snmp agent community
contact       - snmp Contact
location      - snmp Location
traps         - snmp Traps
usm           - SNMPv3 USM (User-based Security Model)

CP> show snmp usm user ReadView-All
Username ReadView-All
Security Level authPriv
Authentication Type MD5
Privacy Type DES

Note: From Command Line, Checkpoint can manually add a SNMPv3 user to use SHA or AES by following these steps to configure SNMPv3 users on Gaia OS to use SHA (SHA1) / AES authentication from SK97692:

4.1.Connect to command line on Gaia OS machine (over SSH, or console). 

4.2.Log in to Clish. 

4.3.Stop the SNMP Agent from Clish: 
HostName> set snmp agent off 

4.4.Log in to Expert mode. 

4.5.Backup the current /etc/snmp/userDefinedSettings.conf file: 
[Expert@HostName]# cp  /etc/snmp/userDefinedSettings.conf  /etc/snmp/userDefinedSettings.conf_ORIGINAL 

4.6.Edit the current /etc/snmp/userDefinedSettings.conf file: 
[Expert@HostName]# vi  /etc/snmp/userDefinedSettings.conf 

4.7.Define an SNMPv3 user by using the 'createUser' directive, followed by the 'rwuser' directive. 
General syntax:

createUser username (MD5|SHA) authpassphrase [DES|AES] [privpassphrase]

rwuser [-s SECMODEL] USER [noauth|auth|priv [OID | -V VIEW [CONTEXT]]]

Notes for 'createUser' directive:

'createUser' directive creates an SNMPv3 user. 
MD5 and SHA are the authentication types to use. 
DES and AES are the privacy protocols to use. 
If the privacy 'privpassphrase' is not specified, it is assumed to be the same as the authentication 'authpassphrase'. 
Warning: the minimum pass phrase length is 8 characters. 
Notes for 'rwuser' directive:

'rwuser' directive allows read-write (GET, GETNEXT and SET) access for an SNMPv3 user (by default, this will provide access to the full OID tree for authenticated (including encrypted) SNMPv3 requests, using the default context). 
'noauth' allows unauthenticated requests. 
'auth' allows only authenticated requests. 
'priv' enforces the use of encryption. 
The 'OID' field restricts access for that user to the subtree rooted at the given OID. 
The 'VIEW' field restricts access for that user to the subtree rooted at the given named view. 

createUser test_user SHA pass1234
rwuser test_user

4.8.Log in to Clish. 

4.9.Start the SNMP Agent from Clish: 
HostName> set snmp agent on
HostName> save config 

4.10.Log in to Expert mode. 

4.11.Test the new SNMPv3 user: 
[Expert@HostName]# snmpget -v 3 -u <username> -n "" -l authNoPriv -a SHA -A <password> localhost sysUpTime.0 
[Expert@HostName]# snmpget -v 3 -u test_user -n "" -l authNoPriv -a SHA -A pass1234 localhost sysUpTime.0

5. Restart your snmp daemon:

[Expert@CP-FW]# service snmpd restart
Stopping snmpd: [FAILED]
Starting snmpd: [  OK  ]
[Expert@CP-FW]# service snmpd restart
Stopping snmpd: [  OK  ]
Starting snmpd: [  OK  ]

For SPLAT OS, please refer following post:

[Expert@FW]# snmp user del public [Expert@FW]# snmp user add authuser Nagios pass complexpassphrase priv privatepass [Expert@FW]# snmp service enable
[Expert@FW]# cat /etc/snmp/snmpd.conf
master agentx
syslocation "GDAI"
syscontact CIT32-Security
sysservices 76
rocommunity Snmp3166*
trap2sink Snmp3166*
cp_cleartrap 10 2
proc syslogd 1 1
disk /var 20%
cp_monitor == 2 60 "link 1 down"
cp_monitor prErrorFlag.1 != "0" 60 "process monitor"
cp_monitor dskErrorFlag.1 != 0 60 "disk monitor"
cp_monitor > 100 60 "CPU load 1 min"
cp_monitor > 90 60 "CPU load 5 min"
cp_monitor < 2000 60 "memAvailSwap"
cp_monitor < 2000 60 "memAvailReal"
cp_monitor != "active" 20 "Cluster State"
cp_monitor > 50000 20 "Firewall connections"
cp_monitor > 60000 60 "/opt hrStorageUsed"
exec maxconn /bin/sh /home/admin/getMaxConn.sh

Activate Check Point MIB with cpconfig :
2.SNMP Extension

There should be 2 processes running: 
 /usr/sbin/snmpd  /opt/CPshrd-R75.40/bin/cpsnmpd
Wanna get the current number of connections in real time?
[Expert@FW]# cat getMaxConn.sh #!/bin/sh /bin/cpfw_start ctl pstat | grep 'Concurrent Connections:' | sed 's/.*out of\ \([0-9]\+\).*/\1/g'

By the way to avoid snmp spam messages in /var/log/messages: Dec 7 15:50:48 hostname snmpd[2621]: Received SNMP packet(s) from UDP: []:34665

Follow this SK: Disable verbose SNMP logging - "snmpd[PID]: Received SNMP packet(s) from UDP:" Solution ID:            sk59023

No comments:

Post a Comment