Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: FW-1 and SNMP Question

FW-1 and SNMP Question 12 years 5 months ago #4315

  • swirl
  • swirl's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
We are using Firewall-1, Version 4.1 between two networks with Solaris nodes on them. Control over these nodes is accomplished using HP Openview and it's Network Node Manager. We are tightening vulnerabilities where we can and my question is about the SNMP community name. Can anyone tell me what changes have to be done on the Firewall-1 node to change from the default string of public?
The administrator has disabled public write access.

Re: FW-1 and SNMP Question 12 years 5 months ago #4322

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
The Bishop is propably one of the most experienced users here at Firewall.cx, I'm sure he'll jump onto this question and nail it home!

Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.

SNMP 12 years 5 months ago #4326

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
Spookily, I'm trying to get SNMP working properly too!
Go into the Policy Editor and open up the policy that's currently running on your firewall. In the browser on the left hand side, find the Workstation entry that represents the firewall itself. Double-click that and you'll bring up the edit dialogue. If you click on Advanced in the tree window you will get a page that allows you to change the SMNP details including community strings. Once you've done that, save the policy and install it onto the firewall. Remeber that your firewall rules must also allow your SNMP and SNMP trap traffic to pass through the firewall to their destination. And also check the setup of SNMP on the machine that the firewall is running on. Make sure your community string etc is also correct there
The administrator has disabled public write access.

SNMP 12 years 5 months ago #4330

  • swirl
  • swirl's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
Thanks!
OK, now I've updated the policy using the editor and I see it updated the objects.C file in the conf directory of the FW-1 software. The traffic rules are already in place and working so that part is OK. Can you perhaps help with the last step in your answer? I see that the policy editor describes the software as SNMPv3 agent from SNMP Research, which is what we have on the non-FW nodes. On those other nodes, I updated the /opt/snmp15.1.0.3/srconf/agt/snmpd.cnf file with the new community strings. I can't find a comparable file on the FW-1 node. Do you know where its daemon /opt/CPfw1-41/bin/snmpd gets it's config?

Thanks Much!
Shirl
The administrator has disabled public write access.

SNMP 12 years 5 months ago #4350

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
According to the manual the SNMP extension is configured from the cpconfig program, so run that and have a look. I'm afraid I'm not a unix guru :oops: , but if that doesn't help then post a reply and I'm sure one of our other contributors will come to your aid. I've had a look on my firewall and there doesn't seem to be an snmp daemon running at all. Very strange.
The administrator has disabled public write access.

Re: FW-1 and SNMP Question 12 years 5 months ago #4375

  • swirl
  • swirl's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
The cpconfig command yields the following:
security:/opt/CPfw1-41/conf>cpconfig
Welcome to Check Point Configuration Program
=================================
This program will let you re-configure
your VPN-1 & FireWall-1 configuration.

Configuration Options:
(1) Licenses
(2) Administrators
(3) GUI clients
(4) Remote Modules
(5) External Interface
(6) SMTP Server
(7) SNMP Extension
(8 Groups
(9) IP Forwarding
(10) Default Filter

(11) Exit

Enter your choice (1-11) :7


Configuring SNMP Extension...
=============================
The SNMP daemon enables VPN-1 & FireWall-1 module
to export its status to external network management tools.
Would you like to disable VPN-1 & FireWall-1 SNMP daemon ? (y/n) [n] ? n

While our internal installation procedures clearly document that we install using the "n" option so that the SNMP daemon is not disabled, I know of no instance where we "export the FW-1 module status". So, short of scheduling lab time and just trying it, I'm going to assume that either A: we don't need the community name configured correctly on the FW-1 node. -or- B: configuring it will be easy and the snmpd daemon must get it's startup info from the objects.C file updated using the policy editor.

I will let you know if and when I actually get direction from management to try it.

Thanks again!
Shirl
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.085 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup