Did anyone have success with discovering the interfaces of CheckPoint Firewall VSX in CA PM? As per the certification and vendor support, the information is suppose to be available in CA PM but I have not been able to get these virtual interfaces discovered .
I could see the vsx interface information discovered in Spectrum but the same isn't working even though the monitoring profiles in CA PM already has the needed metric families enabled
Is anyone able to see this info in CA PM ?
Any advice on this please?
Do you have the Virtual Interface Metric Family associated to a Monitoring Profile that is associated to a Collection that the device in question is a part of? It is sort of a following the bouncing ball kind of thing. You can see what device types a device is on the details tab of Monitored Devices:
And then on the Monitoring Profiles tab you can see further details as well as if you click a collection you can see what Monitoring Profiles are associated to it:
So for my example device it is showing as a router, if I wanted to get Virtual Interfaces to it I would need to create a new Monitoring Profile as Virtual Interface is not in one by default. Go to Monitoring Profiles on the left and click the new button at the bottom:
After that is created now you need to add it to a collection in the Collections section just like you would when adding Network Interface. You can create a custom collection as well if you want to contain only the CheckPoint devices instead of all routers but for my example I will add it to Routers:
Now you can see the Virtual Interface Monitoring Profile (which contains the Virtual Interface Metric Family) will be associated to All Routers.
I already have this configuration done , but still do not see the virtual interfaces related to VSX discovered . I have a custom Monitoring profile created specifically for checkpoint firewalls which has the virtual interface metric family part of it but it simply shows up as "Not Supported" under the Polled Metric Families against the device
any other clues please?
The next step would be to go take a look at the Metric Family / Vendor Certification to see what the required fields are. From there we can try a targeted walk to see if they exist in the device as well as check DcDebug for Discover logging to see what PM is seeing. To find what the required OIDs are we can take a look at the metric family and see which Vendor Certification "should" be used in the priority list:
This is from my 3.5 environment with no custom work:
As you say it is a Checkpoint Device I am going to guess that it is the CheckPoint Firewall Appliances Interface Vendor Certification you want.
If you add the column name Internal Name in the Vendor Certifications window (mouse over the sort arrow on the column header and click the cog wheel that appears) you will need that name. For my example it is:
Next we take the the DA rest interface using the name and look for any entries that are IsKey = True:
In my environment I have only one which also corresponds to: vsxStatusInterfaceVSID
Thank you for the instructions , variables in my environment looks quite same as what you posted and I did not actually find "vsxStatusInterfaceVSID" variables when I queried in the device MIB walk file .
vsxStatusInterfaceVSID variable seems to be referencing the " CHECKPOINT-MIB" but I couldn't actually find this variable in the vendor MIB itself when I tried to look for it . We have the device discovered in Spectrum and I could see the interface information for VSX displayed without any issues . I see spectrum seems to querying the fwIfTable in the " CHECKPOINT-MIB" to get the interface information and this information would not be displayed unless we use the context name which Spectrum automatically picks up during the SNMPv3 discovery .
I am not sure how CA PM works with the contexts during discovery , as I do not see much info related to VSX discovered though we have all the needed metric families included
Any thoughts on this please?
If that is the case it looks like you may fall under these ideas as well then by the Context information you mentioned:
Need SNMPv3 context support for Checkpoint VSX firewalls
SNMPv3 Discovery with Context
Yes, I have seen those ideas, the one for CA PM was opened in 2015 and the certification for CheckPoint Gaia OS VSX R77.20 is done in 3.1 which released around 2017 . Also I see the variables related to VSX are already available in certification as per the vendor support list, so was expecting that this functionality would already be included in CA PM.
May be this needs to be verified with the product management
jason_normandin Could you please advice ?
What version of PM are you using? I just checked 3.1-3.5 machines and within the SNMP Profile, you can set a context name. Have you tried adding the context name that Spectrum is seeing there?
We are on 3.5, yes I did try to use the context option available in SNMPv3 but it didn't really work for me.
Apologies Phani but I have reached the limit of what I can do via Communities. With none of the above steps we took working, my recommendation is to open a Support Case (link this thread in the description) so a Support Engineer can take a further detailed look into what is going on or rather what is not going on.
Thanks for all the inputs , we already have an issue open with Support on this . I'll post the community link to the support ticket for reference
Would you be able to email me the case number? I would like to look further into it as well as follow the case.
Sure, thank you
Run an 'update metric families' on the device. The last discovered says 7th of February on your link.
I have tried this already and it did not help
We have a project on the backlog to address some shortcomings in our Checkpoint monitoring. Unfortunately, we don't yet have a target deliverable identified.
In the interim, would you be able to submit a certification request with Technical Support and forward me (firstname.lastname@example.org) the certification ID so I can follow-up with R&D?
The metrics I as looking for are actually certified , but for some reason does not seem to be getting collected in CA PM. We have an open ticket with Support and was informed that there are multiple customers facing the same issue.
Anyways,, will send you a email with the ticket number