Getting sysObjectID out of cpsnmpd on a Crossbeam APM
I’d like to use OpenNMS to discover and collect statistics from the SNMP agent of Check Point FW-1 firewalls running on Crossbeam APMs. The major challenge in doing so is the fact that cpsnmpd in its default configuration defines a MIB view that includes only 1.3.6.1.4.1.2620.1.1 or enterprises.checkpoint.products.fw. This fact means that the sysObjectID MIB object (1.3.6.1.2.1.1.2.0) is excluded from this view, so OpenNMS cannot determine what kind of device it is dealing with. I know of at least one person who is having the same issue trying to discover these agents using CA (Concord) eHealth.
I gathered the above information on the MIB view from looking at a FW-1 R55 installation on a Solaris system; in $CPDIR/lib/snmp I found a file called view.conf with the following contents:
# # entries are in the following format: # viewIndex viewSubtree viewStatus viewMask # where viewstatus is either "included" or "excluded", # and mask is either "null" or a hex number 1-16 bytes long. 10 .iso.org.dod.internet.private.enterprises.checkpoint.products.fw included Null
This file does not exist on the FW-1 APM installations that I have looked at (where the CPMs are running XOS 6.0.1 and 7.0.1), but the $CPDIR/lib/snmp directory does exist. I would propose creating the view.conf here with the following contents:
# # entries are in the following format: # viewIndex viewSubtree viewStatus viewMask # where viewstatus is either "included" or "excluded", # and mask is either "null" or a hex number 1-16 bytes long. 10 .iso.org.dod.internet.private.enterprises.checkpoint.products.fw included Null 10 .iso.org.dod.internet.mgmt.mib-2.system included Null
That should add the MIB-2 system group to the default MIB view, allowing most network management systems to discover these devices. A cprestart will almost certainly be needed to get the cpsnmpd to reload its view configuration, though sending a HUP signal to the running cpsnmpd process might do the trick.
