Idea Details

Need SNMPv3 context support for Checkpoint VSX firewalls

Last activity 11-18-2019 08:01 AM
Dan Santos's profile image
06-01-2015 03:09 PM

Please enhance modeling of Checkpoint VSX firewalls to include the virtual firewalls (using SNMPv3 contexts).

 

Currently when discovering the management IP of the Checkpoint 21700 Series device that hosts a number of VSX (virtual firewalls) on it only the interfaces on the VS0 virtual firewall show up in the model. No interfaces from the other VS (virtual firewalls) that are configured appear in the model's interface table.

According to the documentation from Checkpoint, this is how it works by design when polling the management interface.

SNMP agents will not reply from the Virtual firewalls to allow us to model them individually.

The Virtual firewalls must be modeled via the VS0 using SNMPv3 contexts for each of the virtual. This is the only way to do it.

We would like to request that SNMPv3 enhancements be made in order to accommodate the context polling in v3.

This will likely be something that more and more vendors do as the industry moves more into nationalization and having to use v3 for security.

 

Thanks

Dan


Comments

05-14-2019 06:50 AM

I colleague of mine pointed me to this documentation entry too, so I'm aware that this is FAD. Still I don't understand what alse purpose this field could have than for SNMPv3 communication...

05-14-2019 06:22 AM

Hi all,hilmarpreusse,

 

just had a support ticket for the same and got the following statements:

"Currently CAPM does not support using Context Name in SNMPv3 in the DA. Even though the UI allows to enter one, we do not use it in SNMPv3."

This is also noted in docops:

https://docops.ca.com/ca-performance-management/3-7/en/building/snmp-profiles

"Development team is currently starting the development process to support context and Checkpoint virtual devices."

... who knows how long this may take ...

 

Don't know if I'm missing something, but I don't see a single response from CA within this thread during it's lifetime of 4 (in words: four) years.

 

PS: since I did not check for existing ideas on this topic, I happen to raise a new one yesterday which is kind of duplicate now: PM SNMPv3 context awareness needed

 

regards,
Raphael

05-07-2019 10:42 AM

We are in 2019, Version 3.7 has been released; still the context_name field is a dummy. Any chance to make progress here?

03-10-2019 07:46 PM

Any chance this idea is being considered or in the upcoming release please?

03-23-2018 08:57 AM

As said: I did not test the feature. Please double check the credentials and test again. If that doesn't solve the problem, please open a ticket @CA support.

03-22-2018 07:06 PM

I have actually tried it against a SNMPv3 device with contexts and I couldn't really see it discovered. Not sure if I have missed something, but it didn't work for me 

03-22-2018 05:44 AM

I've changed the category to CA PM. In 3.5 at least the GUI suggests that this works now. No, we don't have any SNMP agent @hand to test the feature. ;-)

 

Feel free to set the idea to resolved.

 

03-19-2018 07:45 PM

jason_normandin Just checking to see if  this functionality has been made available in CA PM? Can you please clarify ?

 

CA PM - CheckPoint Firewall VSX interface discovery  

06-10-2016 02:10 AM

hilmarpreusse also found this idea SNMPv3 Discovery with Context  which is also a request for context.

06-09-2016 01:37 PM

Would you be so kind to add categorie "eHealth", as the feature is missing there too.

04-29-2016 09:48 AM

My organization has just completed some initial testing of VSX and wishes to move ahead with it, however my team has concerns about monitoring. It looks like Spectrum may only be able to provide basic hardware monitoring of the VSO. Has anyone else come up with a solution for this type of device? 

 

https://sc1.checkpoint.com/documents/R76SP.10/CP_R76SP.10_for_41000_Security_System_Getting_Started_Guide/94813.htm

 

Thanks,

Jeff

02-25-2016 06:57 AM

Any news regarding this Idea ?

Thanks