We are using Firewall-1, Version 4.1 between two networks with Solaris nodes on them. Control over these nodes is accomplished using HP Openview and it's Network Node Manager. We are tightening vulnerabilities where we can and my question is about the SNMP community name. Can anyone tell me what changes have to be done on the Firewall-1 node to change from the default string of public?
Spookily, I'm trying to get SNMP working properly too!
Go into the Policy Editor and open up the policy that's currently running on your firewall. In the browser on the left hand side, find the Workstation entry that represents the firewall itself. Double-click that and you'll bring up the edit dialogue. If you click on Advanced in the tree window you will get a page that allows you to change the SMNP details including community strings. Once you've done that, save the policy and install it onto the firewall. Remeber that your firewall rules must also allow your SNMP and SNMP trap traffic to pass through the firewall to their destination. And also check the setup of SNMP on the machine that the firewall is running on. Make sure your community string etc is also correct there
OK, now I've updated the policy using the editor and I see it updated the objects.C file in the conf directory of the FW-1 software. The traffic rules are already in place and working so that part is OK. Can you perhaps help with the last step in your answer? I see that the policy editor describes the software as SNMPv3 agent from SNMP Research, which is what we have on the non-FW nodes. On those other nodes, I updated the /opt/snmp22.214.171.124/srconf/agt/snmpd.cnf file with the new community strings. I can't find a comparable file on the FW-1 node. Do you know where its daemon /opt/CPfw1-41/bin/snmpd gets it's config?
According to the manual the SNMP extension is configured from the cpconfig program, so run that and have a look. I'm afraid I'm not a unix guru :oops: , but if that doesn't help then post a reply and I'm sure one of our other contributors will come to your aid. I've had a look on my firewall and there doesn't seem to be an snmp daemon running at all. Very strange.
The cpconfig command yields the following:
Welcome to Check Point Configuration Program
This program will let you re-configure
your VPN-1 & FireWall-1 configuration.
(3) GUI clients
(4) Remote Modules
(5) External Interface
(6) SMTP Server
(7) SNMP Extension
(9) IP Forwarding
(10) Default Filter
Enter your choice (1-11) :7
Configuring SNMP Extension...
The SNMP daemon enables VPN-1 & FireWall-1 module
to export its status to external network management tools.
Would you like to disable VPN-1 & FireWall-1 SNMP daemon ? (y/n) [n] ? n
While our internal installation procedures clearly document that we install using the "n" option so that the SNMP daemon is not disabled, I know of no instance where we "export the FW-1 module status". So, short of scheduling lab time and just trying it, I'm going to assume that either A: we don't need the community name configured correctly on the FW-1 node. -or- B: configuring it will be easy and the snmpd daemon must get it's startup info from the objects.C file updated using the policy editor.
I will let you know if and when I actually get direction from management to try it.