DX NetOps

Expand all | Collapse all

CA PM - CheckPoint Firewall VSX interface discovery

Phani Devulapalli

Phani DevulapalliMar 18, 2018 08:46 PM

  • 1.  CA PM - CheckPoint Firewall VSX interface discovery

    Posted Mar 15, 2018 12:11 AM

    Hello All,

     

    Did anyone have success with discovering the interfaces of CheckPoint Firewall VSX  in CA PM? As per the certification and vendor support, the information is suppose to be available in CA PM but I have not been able to get these virtual interfaces discovered . 

     

    I could see the vsx interface information discovered in Spectrum but the same isn't working even though the monitoring profiles in CA PM already has the needed metric families enabled 

     

    Is anyone able to see this info in CA PM ?

     

    Any advice on this please?

     

     



  • 2.  Re: CA PM - CheckPoint Firewall VSX interface discovery

    Broadcom Employee
    Posted Mar 15, 2018 10:16 AM

    Phani,

     

    Do you have the Virtual Interface Metric Family associated to a Monitoring Profile that is associated to a Collection that the device in question is a part of?  It is sort of a following the bouncing ball kind of thing.  You can see what device types a device is on the details tab of Monitored Devices:

     

     

    And then on the Monitoring Profiles tab you can see further details as well as if you click a collection you can see what Monitoring Profiles are associated to it:

     

     

    So for my example device it is showing as a router, if I wanted to get Virtual Interfaces to it I would need to create a new Monitoring Profile as Virtual Interface is not in one by default.  Go to Monitoring Profiles on the left and click the new button at the bottom:

     

    After that is created now you need to add it to a collection in the Collections section just like you would when adding Network Interface.  You can create a custom collection as well if you want to contain only the CheckPoint devices instead of all routers but for my example I will add it to Routers:

     

     

    Now you can see the Virtual Interface Monitoring Profile (which contains the Virtual Interface Metric Family) will be associated to All Routers.

     

    Troy



  • 3.  Re: CA PM - CheckPoint Firewall VSX interface discovery

    Posted Mar 15, 2018 06:32 PM

    Hi Troy,

     

    I already have this configuration done , but still do not see the virtual interfaces related to VSX discovered . I have a custom Monitoring profile created specifically for checkpoint firewalls which has the virtual interface metric family part of it but it simply shows up as "Not Supported" under the Polled Metric Families against the device 

     

     

    any other clues please?



  • 4.  Re: CA PM - CheckPoint Firewall VSX interface discovery

    Broadcom Employee
    Posted Mar 16, 2018 08:28 AM

    Phani,

     

    The next step would be to go take a look at the Metric Family / Vendor Certification to see what the required fields are.  From there we can try a targeted walk to see if they exist in the device as well as check DcDebug for Discover logging to see what PM is seeing.  To find what the required OIDs are we can take a look at the metric family and see which Vendor Certification "should" be used in the priority list:

     

    This is from my 3.5 environment with no custom work:

     

     

    As you say it is a Checkpoint Device I am going to guess that it is the CheckPoint Firewall Appliances Interface Vendor Certification you want.  

     

    If you add the column name Internal Name in the Vendor Certifications window (mouse over the sort arrow on the column header and click the cog wheel that appears) you will need that name.  For my example it is:

     

    Next we take the the DA rest interface using the name and look for any entries that are IsKey = True:

     

    daHostname:8581/typecatalog/certifications/snmp/CheckpointFwAppliancesInterfaceMib

     

    Search for:

    <IsKey>true</IsKey>

     

    In my environment I have only one which also corresponds to: vsxStatusInterfaceVSID

     

    <Attribute name="Index" type="ObjectID">
    <Documentation/>
    <IsKey>true</IsKey>
    <IsIndex>true</IsIndex>
    <NeedsDelta>false</NeedsDelta>
    <Source>1.3.6.1.4.1.2620.1.16.22.5.1.1</Source>
    What does your environment show?  If this OID is available for all of your virtual interfaces I think the next step would be to open a Support Case for further troubleshooting.  If you do go that route please link this post in the case description so the engineer can see the steps you have already taken.
    Troy


  • 5.  Re: CA PM - CheckPoint Firewall VSX interface discovery

    Posted Mar 18, 2018 09:12 PM

    Hi Troy,

     

    Thank you for the instructions , variables in my environment looks quite same as what you posted and I did not actually find "vsxStatusInterfaceVSID" variables when I queried in the device MIB walk file .

     

    vsxStatusInterfaceVSID variable seems to be referencing the " CHECKPOINT-MIB" but I couldn't actually find this variable in the vendor MIB itself when I tried to look for it  . We have the device discovered in Spectrum and I could see the interface information for VSX displayed without any issues . I see spectrum seems to querying the fwIfTable in the CHECKPOINT-MIB"  to get the interface information and this information would not be displayed unless we use the context name which Spectrum automatically picks up during the SNMPv3 discovery .

     

    Main Device 

    VSX

    I am not sure how CA PM works with the contexts during discovery , as I do not see much info related to VSX discovered though we have all the needed metric families included 

     

    Any thoughts on this please?

     



  • 6.  Re: CA PM - CheckPoint Firewall VSX interface discovery

    Broadcom Employee
    Posted Mar 19, 2018 07:12 PM

    If that is the case it looks like you may fall under these ideas as well then by the Context information you mentioned:

     

    Need SNMPv3 context support for Checkpoint VSX firewalls 

    SNMPv3 Discovery with Context 



  • 7.  Re: CA PM - CheckPoint Firewall VSX interface discovery

    Posted Mar 19, 2018 07:42 PM

    Yes, I have seen those ideas, the one for CA PM was opened in 2015 and the certification for CheckPoint Gaia OS VSX R77.20 is done in 3.1 which released around 2017 . Also I see the variables related to VSX are already available in certification as per the vendor support list, so was expecting that this functionality would already be included in CA PM.

     

    May be this needs to be verified with the product management 



  • 8.  Re: CA PM - CheckPoint Firewall VSX interface discovery

    Posted Mar 19, 2018 07:46 PM

    jason_normandin Could you please advice ?



  • 9.  Re: CA PM - CheckPoint Firewall VSX interface discovery

    Broadcom Employee
    Posted Mar 21, 2018 08:03 AM

    Phani,

     

    What version of PM are you using?  I just checked 3.1-3.5 machines and within the SNMP Profile, you can set a context name.  Have you tried adding the context name that Spectrum is seeing there?

     

    Troy



  • 10.  Re: CA PM - CheckPoint Firewall VSX interface discovery

    Posted Mar 21, 2018 06:41 PM

    Hi Troy,

     

    We are on 3.5, yes I did try to use the context option available in SNMPv3 but it didn't really work for me. 

     

    -Phani



  • 11.  Re: CA PM - CheckPoint Firewall VSX interface discovery
    Best Answer

    Broadcom Employee
    Posted Mar 22, 2018 08:51 AM

    Apologies Phani but I have reached the limit of what I can do via Communities.  With none of the above steps we took working, my recommendation is to open a Support Case (link this thread in the description) so a Support Engineer can take a further detailed look into what is going on or rather what is not going on.

     

    Troy



  • 12.  Re: CA PM - CheckPoint Firewall VSX interface discovery

    Posted Mar 22, 2018 07:14 PM

    Hi Troy,

     

    Thanks for all the inputs , we already have an issue open with Support on this . I'll post the community link to the support ticket for reference 

     

    Thank you,

    Phani



  • 13.  Re: CA PM - CheckPoint Firewall VSX interface discovery

    Broadcom Employee
    Posted Mar 22, 2018 09:44 PM

    Phani,

     

    Would you be able to email me the case number?  I would like to look further into it as well as follow the case.

     

    troy.rondeau@ca.com

     

    Troy



  • 14.  Re: CA PM - CheckPoint Firewall VSX interface discovery

    Posted Mar 22, 2018 10:20 PM

    Sure, thank you



  • 15.  Re: CA PM - CheckPoint Firewall VSX interface discovery

    Posted Mar 16, 2018 09:26 AM

    Run an 'update metric families' on the device. The last discovered says 7th of February on your link. 



  • 16.  Re: CA PM - CheckPoint Firewall VSX interface discovery

    Posted Mar 18, 2018 08:46 PM

    I have tried this already and  it did not help 



  • 17.  Re: CA PM - CheckPoint Firewall VSX interface discovery

    Broadcom Employee
    Posted Apr 12, 2018 01:42 PM

    Hi Phani,

     

    We have a project on the backlog to address some shortcomings in our Checkpoint monitoring. Unfortunately, we don't yet have a target deliverable identified.

     

    In the interim, would you be able to submit a certification request with Technical Support and forward me (norja08@ca.com) the certification ID so I can follow-up with R&D?

     

    Thanks!

    Jason



  • 18.  Re: CA PM - CheckPoint Firewall VSX interface discovery

    Posted Apr 15, 2018 07:44 PM

    Hi Jason,

     

    The metrics I as looking for are actually certified , but for some reason does not seem to be getting collected in CA PM. We have an open ticket with Support and was informed that there are multiple customers facing the same issue.

     

    Anyways,, will send you a email with the ticket number

     

    Thanks,

    Phani