VPN tunnel monitoring for non-Certified Checkpoint devices

Document ID : KB000015328
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Currently, out of box VPN tunnel support is for Cisco devices supporting the CISCO-IPSEC-FLOW-MONITOR-MIB and CISCO-IPSEC-MIB 

 

However, for devices such as Checkpoint firewall, a SpectroWATCH can be created to monitor the VPN tunnel state of each tunnel, and alarm when the tunnel goes down. 

Question:

How can I configure VPN tunnel monitor for Checkpoint Firewalls? 

Environment:
Spectrum 10.1.2 Spectrum 10.1.1Spectrum 10.1.0Spectrum 10.0
Answer:

While Spectrum does not have Checkpoint Firewall VPN support out of box, if Checkpoint MIBS are imported into Spectrum, then a SpectroWATCH can be created to monitor the CHECKPOINT MIB attribute Tunnel State OID 1.3.6.1.4.1.2620.500.9002.1.3 

 

- tunnel state (3=active, 4=destroy, 129=idle, 130=phase1, 131=down, 132=init, see SK63663) 

 

1. Map tunnelState to an Attribute 

2. create Watch on the attribute 

 

- tunnelState is a list attribute - contains a list of currently configured tunnels on the Checkpoint device 

 

**** Watch Expression **** 

 

1. expression can be either tunnelState.# with instance set to "all" 

2. or expression can be set to tunnelState.199.204.139.93.0 where '199.204.139.93.0" is the instanceID of that tunnel as seen on Getnext query of tunnelState in MIB Tools 

 

**** Watch Properties ***** 

 

1. recommend "evaluate by polling" and UNCHECK "make inheritable" 

2. reason is Checkpoint devices in 10.1 are "gnSNMPDev" and setting a polling Watch on GnSNMPDev with "make inheritable" would force spectrum to evaulate the watch on virtually almost all models in spectrum - that would cause problems

3. so, only run the watch on gnSNMPDev devices - best bet 

 

**** Watch Threshold **** 

 

1. recommend setting threshold == 131 - tunnel down 

2. set Event to raise Alarm when tunnel is down