When having a Check Point firewall, it is possible to monitor the Check Point management. All information about a connected firewall is gathered from here. Sometimes it is wanted that this information is collected directly from the firewall using SNMP. This works since many versions of Check Point and SecureTrack very well, following the configuration guide published by Tufin - as far as the license has been purchased (TF-SECTRK-CP-GAIA-OS-MONITOR).

Hint:
If you import a Check Point firewall, all topology data are derived from here, no more from the Check Point management. So if there is a problem with SNMP (e.g. connectivity, authentication), no topology data are available for this firewall.

Problem when having Check Point R81:
Independent of the configuration (that has worked e.g. for R80), the firewall running R81 delivers "wrong password" in Menu > Settings > Administration > Status.

Therefore no data are imported into SecureTrack and also no topology information is available for this firewall.

 

Following a discussion in the Check Point CheckMates community, the authentication of SNMPv3 users with SHA1 is not supported any more. Only SHA256 and SHA512 are supported by default. To solve this issue, some additional steps are described in CheckMates. So the complete integration of a Check Point firewall into SecureTrack includes these steps:

  • Open the WebUI of GAiA
    • Activate SNMP agent running SNMPv3 and select the corresponding interface


    • Define a user (e.g. username "securetrack", passphrase "password123")


      This user shows up in GAiA then.

      Due to the selected Authentication Protocol, this user cannot authenticate when configured in SecureTrack.


  • Open a console window on the GAiA system after having closed the WebUI.
    In Expert Mode check that this user can authenticate, using e.g. this command:
    r81_expert> snmpwalk -v 3 -l authPriv -u securetrack -a SHA-256 -A password123 -x AES -X password123 127.0.0.1 HOST-RESOURCES-MIB::hrSystemUptime.0
    HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (27949040) 3 days, 5:38:10.40
    r81_expert>

  • Now it is necessary to change the authentication protocol. The corresponding values can be gathered e.g. from a system running GAiA R80 (file /config/active).
    By default in R81, the user is listed in this file with this entry for using SHA256:
       r81_expert> cat /config/active | grep auth:proto
       snmp:v3:user:securetrack:auth:proto .1.3.6.1.6.3.10.1.1.5

    To change the authentication protocol for the user defined above to SHA1, go to the console in expert mode:
    r81_expert> dbset snmp:v3:user:securetrack:auth:proto .1.3.6.1.6.3.10.1.1.3

  • The authentication type now has been changed to SHA1. This can be checked using the console (clish) or the WebUI
    r81> show snmp usm user securetrack
      Username securetrack
      Permissions read-only
      Security Level authPriv
      Authentication Type SHA1
      Privacy Type AES


  • Since the authentication protocol has been changed, the password needs to be set again - don't forget this step...
    r81_expert> set snmp usm user securetrack security-level authPriv auth-pass-phrase password123 privacy-pass-phrase password123
    r81_expert>
    and check the authentication by e.g. this command:
    r81_expert> snmpwalk -v 3 -l authPriv -u securetrack -a SHA -A password123 -x AES -X password123 127.0.0.1 HOST-RESOURCES-MIB::hrSystemUptime.0
    HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (28182734) 3 days, 6:17:07.34
    r81_expert>

  • Now everything is prepared to import the firewall module into SecureTrack via Menu > Settings > Monitoring > Manage Devices



  • Select the firewall you want to import (this management has connected only one firewall)

    Be sure to fill in the correct user name and password as configured before. Press Next

  • Now select the network interface SecureTrack shall connect to

    and import the interface. The configuration is saved automatically then.

  • In Menu > Administration > Status the firewall shows up. It is necessary to check the status. It should be "green" and "started"


  • It this is the case, the first revision should have shown up. This is to be checked via Menu > Compare