Discussion:
[Netdisco] Checkpoint Firewall - No ARP cache polling since upgrade from IPSO to GAiA OS
Tobias Gerlach
2014-03-26 15:23:34 UTC
Permalink
Hello,

we have a lot of Checkpoint Firewalls in our network and we need to
upgrade all of them from old IPSO to new GAiA OS.
After the update the sysObjectID changed in GAiA to generic
NET-SNMP-MIB::netSnmpAgentOIDs:

***@server:/usr/local/netdisco$ snmpwalk -v2c -c community
<firewall> sysObjectID
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10

Netdisco classifies that device now as SNMP::Info::Layer3::NetSNMP,
which is from NDs point of view probably right, and not
longer as a SNMP::Info::Layer3 device. Arpnip skipped now for that
SNMP::Info class:

"arpnip: status done: Skipped arpnip for device 4.3.2.1/32 without OSI
layer 3 capability"

It is mandatory for us to still receive that ARP cache informations.

arpnip on an IPSO OS:
***@server:/usr/local/netdisco$ netdisco-do arpnip -D -d <firewall>
[22770] info @0.000011> arpnip: started at Wed Mar 26 15:55:25 2014
[22770] debug @0.308176> [1.2.3.4] try_connect with ver: 2, class:
SNMP::Info::Layer3, comm: community
[22770] debug @3.563709> [1.2.3.4] check_mac - HSRP mac
[00:00:0c:07:ac:01] - skipping
[22770] debug @3.607635> resolving 222 ARP entries with max 50
outstanding requests
[22770] debug @4.834284> resolving 0 ARP entries with max 50
outstanding requests
[22770] debug @5.033101> [1.2.3.4] arpnip - found subnet 10.1.0.0/24
[22770] debug @5.033640> [1.2.3.4] arpnip - found subnet 10.2.0.0/24
[22770] debug @5.034073> [1.2.3.4] arpnip - found subnet 10.3.0.0/24
[22770] debug @5.043985> [1.2.3.4] arpnip - found subnet 10.4.0.0/24
[22770] debug @6.300389> [1.2.3.4] arpnip - processed 222 ARP Cache entries
[22770] debug @6.300689> [1.2.3.4] arpnip - processed 0 IPv6 Neighbor
Cache entries
[22770] debug @6.404250> [1.2.3.4] arpnip - processed 28 Subnet entries
[22770] info @6.408395> arpnip: finished at Wed Mar 26 15:55:31 2014
[22770] info @6.408656> arpnip: status done: Ended arpnip for 1.2.3.4
***@server:/usr/local/netdisco$ snmpwalk -v2c -c community
<firewall> sysObjectID
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.94.1.21.2.1.146
***@server:/usr/local/netdisco$

arpnip on an GAiA OS:
***@server:/usr/local/netdisco$ netdisco-do arpnip -D -d <firewall>
[22759] info @0.000012> arpnip: started at Wed Mar 26 15:52:37 2014
[22759] debug @0.320897> [4.3.2.1] try_connect with ver: 2, class:
SNMP::Info::Layer3::NetSNMP, comm: community
[22759] info @0.992697> arpnip: finished at Wed Mar 26 15:52:38 2014
[22759] info @0.993051> arpnip: status done: Skipped arpnip for
device 4.3.2.1/32 without OSI layer 3 capability
***@server:/usr/local/netdisco$

Any ideas to fix that issue?
Thanks a lot in advance!

Regards Tobias
Tobias Gerlach
2014-03-27 13:59:59 UTC
Permalink
Meanwhile I got an official statement from Checkpoint regarding this
not nice sysObjectID behavior:

"Check Point operating systems (SecurePlatform/Gaia) do not provide a
sysObjectID as it appears in the RFC 1213.
Per RFC 1213, sysObjectID OID is "The vendor's authoritative
identification of the network management subsystem contained in the
entity. This value is allocated within the SMI enterprises subtree
(1.3.6.1.4.1) and provides an easy and unambiguous means for
determining 'what kind of box' is being managed.")
When sending an SNMP Query to Check Point machine with OID
.1.3.6.1.2.1.1.2, the machine returns a reply based on the operating
system used."

I'm not really satisfied with their statement because it makes it much
more difficult for network monitoring tools to identify and discover
Checkpoint devices fully correct.
Post by Tobias Gerlach
Hello,
we have a lot of Checkpoint Firewalls in our network and we need to
upgrade all of them from old IPSO to new GAiA OS.
After the update the sysObjectID changed in GAiA to generic
<firewall> sysObjectID
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
Netdisco classifies that device now as SNMP::Info::Layer3::NetSNMP,
which is from NDs point of view probably right, and not
longer as a SNMP::Info::Layer3 device. Arpnip skipped now for that
"arpnip: status done: Skipped arpnip for device 4.3.2.1/32 without OSI
layer 3 capability"
It is mandatory for us to still receive that ARP cache informations.
SNMP::Info::Layer3, comm: community
[00:00:0c:07:ac:01] - skipping
outstanding requests
outstanding requests
Cache entries
<firewall> sysObjectID
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.94.1.21.2.1.146
SNMP::Info::Layer3::NetSNMP, comm: community
device 4.3.2.1/32 without OSI layer 3 capability
Any ideas to fix that issue?
Thanks a lot in advance!
Regards Tobias
Tobias Gerlach
2014-03-28 09:29:08 UTC
Permalink
Hello T9En,

thanks a lot!! With that line in the snmpd config file, ND2 polls the
ARP cache fine again! :)

Regards Tobias

Veeramachaneni
2014-03-28 06:30:23 UTC
Permalink
Hi Tobias Gerlach,

You need to make a change is snmpd configuration of GAIA system. As it is configured as non L3 device by default, Netdisco is skipping ARPNIP on device.

You need to edit "/etc/snmp/userDefinedSettings.conf" and add one line at the end of the file:

sysservices 76


and restart snmpd service ("service snmpd restart"). then try to poll the device in nedisco.

Note: DO NOT EDIT FILE "/etc/snmp/snmpd.conf"

Hope this will solve the issue.
 
Regards,
T9En
Loading...