Oracle® Enterprise Manager

System Monitoring Plug-in Installation Guide for Check Point Firewall

Release 6 (2.1.1.0.0)

E11851-01

December 2007

This document provides a brief description about the Oracle System Monitoring Plug-in for Check Point Firewall, details on the versions the plug-in supports, prerequisites for installing the plug-in, and step-by-step instructions on how to download, install, verify, and validate the plug-in.

Description

The System Monitoring Plug-in for Check Point Firewall extends Oracle Enterprise Manager Grid Control to add support for managing Check Point Firewalls. By deploying the plug-in in your Grid Control environment, you gain the following management features for Check Point Firewall:

• Monitor Check Point Firewall devices.

• Gather configuration and track configuration changes for Check Point Firewall instances.

• Raise alerts and violations based on thresholds set on monitoring and configuration data.

• Provide rich out-of-box reports for the user interface based on the gathered data.

• Support monitoring by a remote Agent. For remote monitoring, the Agent does not need to be on the same computer as Check Point Firewall.

Platforms Supported

The plug-in supports monitoring of Check Point Firewall instances on Linux and Unix.

It also supports Nokia Operating System IPSO.

Versions Supported

This plug-in supports the following versions of products:

• Enterprise Manager Grid Control 10g Release 2 Management Service and Agent

• Check Point Firewall versions:

  • NG- AI (R54)

  • NG-AI (R55)

  • NG-AI (R60)

  • NGX

Prerequisites

The following prerequisites must be installed before you can deploy the plug-in:

• Oracle Enterprise Manager Grid Control 10g Release 2 or higher system and Agent

• Check Point Firewall instance

• If 'SNMP Community' (other than default community 'public') is configured and required for monitoring the Check Point Firewall Target, you must add the Enterprise Manager Agent's IP address for the particular Simple Network Management Protocol (SNMP) Community.

• Configured Security Policy rules to allow connections from the Enterprise Manager Grid Control system to the Check Point Firewall using the predefined services snmp (UDP port 161) and FW1_snmp (UDP port 260) as needed.

  For Linux/Unix Operating System, the prerequisites are as follows:

  • Both the host SNMP daemon (snmpd) and Firewall SNMP daemon (cpsnmpd) must be running on the Check Point Firewall device.

  • UCD-SNMP-MIB is registered

  See Also:

  "Unix/Linux Prerequisites Procedure"

The information provided here are the prerequisite procedures to enable SNMP gets on the Check Point Firewall device. For additional information, refer to the Check Point documentation.

Deploying the Plug-in

After you ensure that the prerequisites are met, follow these steps to deploy the plug-in:

1. Download the Check Point Firewall Plug-in archive to your desktop or computer on which the browser is launched. You can download the archive from the Oracle Technology Network (OTN).

2. Log in to Enterprise Manager Grid Control as a Super Administrator.

3. Click the Setup link in the upper right corner of the Grid Control Home page, then click the Management Plug-ins link on the left side of the Setup page.

4. Click Import.

5. Click Browse and select the plug-in archive.

6. Click List Archive.

7. Select the plug-in and click OK.

8. Verify that you have set preferred credentials on all Agents where you want to deploy the plug-in.

9. In the Management Plug-ins page, click the icon in the Deploy column for the Check Point Firewall plug-in. The Deploy Management Plug-in wizard appears.

10. Click Add Agents, then select one or more Agents to which you want to deploy the plug-in. The wizard reappears and displays the Agent you selected.

11. Click Next, then click Finish.

    If you see an error message stating that the preferred credential is not set up, go to the Preferences page and add the preferred credentials for the Agent target type.

    If there are no errors, you can see the following page:

    Figure 1 Successful Deployment

    
    

Adding Instances for Monitoring

After successfully deploying the plug-in, follow these steps to add the plug-in target to Grid Control for central monitoring and management:

1. From the Agent Home page where the Check Point Firewall Plug-in was deployed, select the Check Point Firewall target type from the Add drop-down list, then click Go. The Add Check Point Firewall page appears.

2. Provide the following information for the properties:

   • Name — Name for the plug-in, such as My_Check_Point_1

   • Firewall Hostname or IP Address — Name/IP Address of the Check Point Firewall device

   • Check Point SNMP Daemon Port — Port number where the Check Point SNMP daemon is running. The default is 260 on Linux platforms.

   • Host SNMP Daemon Port — Port number where the native OS SNMP daemon is running. The default is 161.

   • SNMP Community — Community name for which the Agent IP address is added. The default is Public.

   • SNMP Timeout — Timeout value by when the SNMP call should be terminated. A value of 5 is recommended.

   • Check Point Firewall Web UI URL — URL of the Check Point Web interface

   • Telnet Enabled (y/n) — If telnet is enabled on the Check Point Firewall device, specify the default value of y. Otherwise, leave this field blank.

3. Click Test Connection to make sure the parameters you entered are correct.

4. Reenter the encrypted parameters from step 2 if the connection test was successful, then click OK.

Note:

After you deploy and configure the plug-in to monitor one or more targets in the environment, you can customize the monitoring settings of the plug-in. This alters the collection intervals and threshold settings of the metrics to meet the particular needs of your environment. If you decide to disable one or more metric collections, this could impact the reports that the metric is a part of.

Figure 2 Add Check Point Firewall Page

Verifying and Validating the Plug-in

After waiting a few minutes for the plug-in to start collecting data, use the following steps to verify and validate that Enterprise Manager is properly monitoring the plug-in target:

1. Click the Check Point Firewall target link from the Agent home page Monitored Targets table. The Check Point Firewall home page appears.

   Figure 3 Check Point Firewall Home Page

   
   

2. Verify that no metric collection errors are reported in the Metrics table.

3. Ensure that reports can be seen and no errors are reported by selecting the Reports property page.

4. Ensure that configuration data can be seen by clicking the View Configuration link in the Configuration section. If configuration data does not immediately appear, click Refresh in the View Configuration page.

Unix/Linux Prerequisites Procedure

Before proceeding to the section, do the following:

1. Find the snmpd.conf file, which is located under /etc/snmp or /etc/SnmpAgent.d. For more information, see the Directories Searched section in the following SNMP.CONF Website:

   http://net-snmp.sourceforge.net/docs/man/snmp_config.html

2. Edit the snmpd.conf file to enable SNMP calls for the following OIDs:

   # Make at least snmpwalk -v 1 localhost -c public system fast again.
   #       name           incl/excl     subtree         mask(optional)
   view    systemview    included   .1.3.6.1.2.1.1
   view    systemview    included   .1.3.6.1.2.1.2
   view    systemview    included   .1.3.6.1.4.1.2021.11
   view    systemview    included   .1.3.6.1.4.1.2021.4
   view    systemview    included   .1.3.6.1.2.1.25
   view    systemview    included   .1.3.6.1.2.1.4
   

3. Execute the following commands in sequence on the Check Point Firewall device:

   1. service snmpd stop

      If the snmpd service is running, the output of the command is:

      stopping snmpd [OK]

      If the snmpd service is not running, the output of the command is:

      stopping snmpd [FAILED]

   2. service snmpd start

      The output of the command is:

      starting snmpd [OK]

4. Enable the Check Point SNMP Extension using the cpconfig command.

   On Unix platforms, a special Check Point SNMP daemon, cpsnmpd, is installed. This daemon provides status information on VPN-1 Pro specific objects. This daemon is not run by default. The daemon is enabled or disabled through cpconfig. Once enabled, the daemon listens on port 260.

   Note:

   The standard Unix SNMP daemon loads before the Check Point daemon and binds to port 161. If the regular daemon is not running, cpsnmpd binds to both ports (161 and 260). If both ports are occupied by a previous process, the Check Point daemon does not run. Furthermore, if the Check Point daemon receives a request for an unrecognized OID, it does not forward this to the standard SNMP OS daemon.

Undeploying the Plug-in

Follow these steps to undeploy the plug-in from an Agent:

1. Log in to Enterprise Manager Grid Control as a Super Administrator.

2. Select the Targets tab, then the All Targets subtab. The All Targets page appears.

3. Select the Check Point Firewall Plug-in target and click Remove. You must do this step for all targets of the plug-in.

4. Make sure that the preferred credentials are set on the Agents where the plug-in is deployed.

5. Click the Setup link in the upper right corner of the All Targets page, then click the Management Plug-ins link on the left side of the Setup page. The Management Plug-ins page appears.

6. Click the icon in the Undeploy column for the Check Point Firewall Plug-in. The Undeploy Management Plug-in page appears.

7. Check all the Agents that are currently deployed with the Check Point Firewall Plug-in and click OK.

   You must undeploy the plug-in from every Agent in the system to completely remove it from the enterprise.

8. Select the Check Point Firewall Plug-in on the Management Plug-ins page and click Delete.

Documentation Accessibility

Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Accessibility standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For more information, visit the Oracle Accessibility Program Web site at http://www.oracle.com/accessibility/.

Accessibility of Code Examples in Documentation

Screen readers may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, some screen readers may not always read a line of text that consists solely of a bracket or brace.

Accessibility of Links to External Web Sites in Documentation

This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.

TTY Access to Oracle Support Services

Oracle provides dedicated Text Telephone (TTY) access to Oracle Support Services within the United States of America 24 hours a day, seven days a week. For TTY support, call 800.446.2398.

---

System Monitoring Plug-in Installation Guide for Check Point Firewall, Release 6 (2.1.1.0.0)

E11851-01

Copyright © 2007 Oracle. All rights reserved.

The Programs (which include both the software and documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited.

The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose.

If the Programs are delivered to the United States Government or anyone licensing or using the Programs on behalf of the United States Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the Programs, including documentation and technical data, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement, and, to the extent applicable, the additional rights set forth in FAR 52.227-19, Commercial Computer Software—Restricted Rights (June 1987). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065

The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and we disclaim liability for any damages caused by such use of the Programs.

Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

The Programs may provide links to Web sites and access to content, products, and services from third parties. Oracle is not responsible for the availability of, or any content provided on, third-party Web sites. You bear all risks associated with the use of such content. If you choose to purchase any products or services from a third party, the relationship is directly between you and the third party. Oracle is not responsible for: (a) the quality of third-party products or services; or (b) fulfilling any of the terms of the agreement with the third party, including delivery of products or services and warranty obligations related to purchased products or services. Oracle is not responsible for any loss or damage of any sort that you may incur from dealing with any third party.