This article is about a legacy license feature. This feature cannot be licensed anymore. If you purchased and installed it on your SecureTrack Server earlier, it still can be used for Check Point up to Version R80.x without problems.
-------
When having a Check Point firewall, it is possible to monitor the Check Point management. All information about a connected firewall is gathered from here. Sometimes it is wanted that this information is collected directly from the firewall using SNMP. This works since many versions of Check Point and SecureTrack quite well, following the configuration guide published by Tufin - as far as the license has been purchased (TF-SECTRK-CP-GAIA-OS-MONITOR).
Hint:
If you import a Check Point firewall, all topology data are derived from here, no more from the Check Point management. So if there is a problem with SNMP (e.g. connectivity, authentication), no topology data are available for this firewall.
Problem when having Check Point R81:
Independent of the configuration (that has worked for R80.x and earlier), the firewall running R81.x delivers "wrong password" in Menu > Settings > Administration > Status.
Therefore no data are imported into SecureTrack and also no topology information is available for this firewall.
Following a discussion in the Check Point CheckMates community and also Tufin Technical Support, the authentication of SNMPv3 users with SHA1 is not supported anymore.
Only SHA256 and SHA512 are supported by Check Point R81.x. To solve this issue, some additional steps are required.
So the complete integration of a Check Point Firewall R81.x into SecureTrack includes these steps:
(examples used here: SNMPv3 user: securetrack, Interface: 127.0.0.1, Password: password123)
- Open the WebUI of GAiA
- Activate SNMP agent running SNMPv3 and select the corresponding interface
- Define a user (e.g. username "securetrack", passphrase "password123")
This user shows up in GAiA then.
Due to the selected Authentication Protocol, this user cannot authenticate when configured in SecureTrack.
- Activate SNMP agent running SNMPv3 and select the corresponding interface
- Open a console window on the GAiA system after having closed the WebUI.
In Expert Mode check that this user can authenticate, using e.g. this command:
r81_expert> snmpwalk -v 3 -l authPriv -u securetrack -a SHA-256 -A password123 -x AES -X password123 127.0.0.1
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (27949040) 3 days, 5:38:10.40
...
r81_expert> - Now it is necessary to change the authentication protocol. The corresponding values can be gathered e.g. from a system running GAiA R80 (file /config/active).
By default in R81, the user is listed in this file with this entry for using SHA256:
r81_expert> cat /config/active | grep auth:proto
snmp:v3:user:securetrack:auth:proto .1.3.6.1.6.3.10.1.1.5
To change the authentication protocol for the user defined above to SHA1, go to the console in expert mode:
r81_expert> dbset snmp:v3:user:securetrack:auth:proto .1.3.6.1.6.3.10.1.1.3 - The authentication type now has been changed to SHA1. This can be checked using the console (clish)
r81> show snmp usm user securetrack
Username securetrack
Permissions read-only
Security Level authPriv
Authentication Type SHA1
Privacy Type AES - Since the authentication protocol has been changed, the password needs to be set again - don't forget this step...
(it needs to be done via CLI / clish. In case, just copy / paste it to the CLI from an editor on your PC)
r81> set snmp usm user securetrack security-level authPriv auth-pass-phrase password123 privacy-pass-phrase password123
r81>
and check the authentication by e.g. this command in expert mode:
r81_expert> snmpwalk -v 3 -l authPriv -u securetrack -a SHA1 -A password123 -x AES -X password123 127.0.0.1
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (28182734) 3 days, 6:17:07.34
...
r81_expert> - Now everything is prepared to import the firewall module into SecureTrack via Menu > Settings > Monitoring > Manage Devices
- Select the firewall you want to import (this management has connected only one firewall)
Be sure to fill in the correct username and password as configured before. Press Next - Now select the network interface SecureTrack shall connect to
and import the interface. The configuration is saved automatically then. - In Menu > Administration > Status, the firewall shows up below the management server. It is necessary to check the status. It should be "green" and "started"
- It this is the case, the first revision should have shown up. This is to be checked via Menu > Compare