Ad blocker detected: Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker on our website.
Just out of curiosity I've tried to get cacti to poll a Checkpoint FW1-host, which runs both snmp-daemons (the net-snmp and checkpoint's own snmp, running at udp-port 260).
Cacti will poll the net-snmp of the FW just fine, but it can't poll the checkpoint-snmpd of the FW. Somehow it won't use port 260. I have looked at and tried every solution that has been posted for these issues, but i cannot get past this port-issue. Even the snmp.php wasn't safe for these experiments as this has
and a snoop (cacti runs on a Solaris-box) on the interface reveals this only "normal" snmp traffic (on port 161) and not the scripted snmpget to port 260.
If anyone has a solution to get cacti to poll a checkpoint-node on udp-port 260 (with all the bells and whistles - e.g. indexed queries and graphs with nice colors), please make it public. I know that there is a demand for such queries by those who don't know how to code (like me )
Anonymous wrote:If anyone has a solution to get cacti to poll a checkpoint-node on udp-port 260 (with all the bells and whistles - e.g. indexed queries and graphs with nice colors), please make it public. I know that there is a demand for such queries by those who don't know how to code (like me )
Kenny
I'm pretty sure this will be fixed in 0.8.7 when you can turn off Host Down Detection on a per-host basis. Because the Check Point SNMP daemon doesn't return anything for the SysDescr.0 OID, cacti considers the host to be down and won't attempt to poll the device.
My solution was just to create a new host with the same IP but using the alternative SNMP port #.
I am just adding this to this thread for people that are trying to poll on port 260, but dont care that the graphs are not on the same hosts.
I've tried that also, cloned the host and changed the snmp-port to 260. That didn't work in my situation, though...
Cacti just didn't use the new port, only 161. This is probably because of what jcaesar said about checkpoint's snmpd.
Besides all this, it's just plain annoying that checkpoint's snmpd doesn't return all tha data that's available in the MIB.
Not that a non-fw module must return the (for example) floodgate-stats even if that's not installed, but still...
For instance: if I want to get the number of users that are logged on to a policy server of a VPN-1, I get no results (well, a "0") even though I know that more than 60 users are logged in.
This happens on the host itself, and from the command-line of the polling station. Of course Checkpoint's own Smartview Status (R55) can get these numbers just fine, but it's not useful to look at this screen all day for a analysis of the usage of a policy server...
Well, fortunately Checkpoint Secureplatform NG AI R55 answers to checkpoint specific queries from standard snmp port
But I'm having trouble graphing accepted/rejected/dropped packets, as the counter resets to -2^31 When the counter is positive I can get graphs out of it. Infact this seems more like RRDtool problem, as the correct counter value can be seen in rrdtool dump, but it just can't calculate correctly.
And I have tried to get this work on interface level, but cacti just doesn't seem to understand the indexing In fact I think it just doesn't like the .0 that all the answers have in the end of OID. I have tried to get index using regexp, but it only indexes only the interfaces, but not the interface counters!
Has anybody succesfully got FW1 Secureplatform to graph even global counters of accepted/rejected/dropped packets?
I have seen the same with FP2 on Solaris (and the version is irrelevant, i presume). If I push the rulebase to the firewall, i get a huge spike in the cacti-graph. The values rise from 20m to 8.0M for just a short peak (2 or 3 pollig-cycles).
Secureplatform is "just" Linux with FW-1 onto it, with some Checkpoint-added value. So if they decided to incorporate the Checkpoint-MIB into the normal snmp, of course it will reply with the correct answers...
BTW, it's not possible AFAIK to get the polling to use another port with the new 0.8.6.c, but hey, I am still a impatient nOOb.
A friend told me one time that patience is a virtue, so i can wait...
Gedu wrote:Has anybody succesfully got FW1 Secureplatform to graph even global counters of accepted/rejected/dropped packets?
I have been hacking at this for a few days now and I have something that can read some MIB's from a Checkpoint Secureplatform NG. I don't think that the interface specific counters are working correctly. They may be guage instead of counter registers but I don't have any documentation that tells me one way or another.
If people are still having problems doing this - you can run both snmp daemons and poll them through the net-snmp daemon by adding the following to your config file
which config file are you talking about?
i downloaded cacti_cp.zip. It looks like it is getting data on port 260(NG-FW), but not getting any .rrd and not getting graphed anything. At the same time Interface statistics which is port 161 doesn't work.
is there any way that i can use both ports at the same time?
This is in the snmpd.conf file of your net-snmp install.
In this case something like
proxy -v 1 -c your_community localhost:260 .1.3.6.1.4.1.2620.1.1.25.3.0 (or whatever the node is you want)
I can dont have a box with FW-1 or NG-FW to test this - so maybe it doesn't work. It's just an example that works when talking to Squid and I'm testing with other snmpds on the same machine.
I've installed the above templates, but am getting only a solid line at zero on my graphs. All data is zero. However, The data is being read correctly from the firewall. Here's a line from my cacti.log:
)
When the counter is positive I can get graphs out of it. Infact this seems more like RRDtool problem, as the correct counter value can be seen in rrdtool dump, but it just can't calculate correctly.