1. SNMP General Settings:
2. V3 – user-based Security Model (USM)
Authentication is using MD5
Privacy is using DES.
If you want to change SHA or AES, you have to use command line to add SNMP V3 user. All steps have been listed at Step 4.
3. Enabled Traps
4. Trap Receivers Settings
For command lines, here is a good post for it on pingtool.org. Some configuration are copied here :
set snmp agent on
set snmp contact “[email protected]”
set snmp location “Middle of nowhere”
add snmp address 126.96.36.199
set snmp agent-version v3-Only
add snmp usm user snmpv3user security-level authPriv auth-pass-phrase 111222333 privacy-pass-phrase 555666777
Notes: By Default, at WebGUI, Checkpoint SNMPv3 only support MD5 and DES for Authentication typle and Privacy Type. Make sure when setting up SNMP manager server, you choose MD5 and DES.
CP> show snmp
addresses – snmp agent address
agent – snmp daemon
agent-version – snmp version
community – snmp agent community
contact – snmp Contact
location – snmp Location
traps – snmp Traps
usm – SNMPv3 USM (User-based Security Model)
CP> show snmp usm user ReadView-All
Security Level authPriv
Authentication Type MD5
Privacy Type DES
Note: From Command Line, Checkpoint can manually add a SNMPv3 user to use SHA or AES by following these steps to configure SNMPv3 users on Gaia OS to use SHA (SHA1) / AES authentication from SK97692:
4.1.Connect to command line on Gaia OS machine (over SSH, or console).
4.2.Log in to Clish.
4.3.Stop the SNMP Agent from Clish:
HostName> set snmp agent off
4.4.Log in to Expert mode.
4.5.Backup the current /etc/snmp/userDefinedSettings.conf file:
[[email protected]]# cp /etc/snmp/userDefinedSettings.conf /etc/snmp/userDefinedSettings.conf_ORIGINAL
4.6.Edit the current /etc/snmp/userDefinedSettings.conf file:
[[email protected]]# vi /etc/snmp/userDefinedSettings.conf
4.7.Define an SNMPv3 user by using the ‘createUser’ directive, followed by the ‘rwuser’ directive.
createUser username (MD5|SHA) authpassphrase [DES|AES] [privpassphrase]
rwuser [-s SECMODEL] USER [noauth|auth|priv [OID | -V VIEW [CONTEXT]]]
Notes for ‘createUser’ directive:
‘createUser’ directive creates an SNMPv3 user.
MD5 and SHA are the authentication types to use.
DES and AES are the privacy protocols to use.
If the privacy ‘privpassphrase’ is not specified, it is assumed to be the same as the authentication ‘authpassphrase’.
Warning: the minimum pass phrase length is 8 characters.
Notes for ‘rwuser’ directive:
‘rwuser’ directive allows read-write (GET, GETNEXT and SET) access for an SNMPv3 user (by default, this will provide access to the full OID tree for authenticated (including encrypted) SNMPv3 requests, using the default context).
‘noauth’ allows unauthenticated requests.
‘auth’ allows only authenticated requests.
‘priv’ enforces the use of encryption.
The ‘OID’ field restricts access for that user to the subtree rooted at the given OID.
The ‘VIEW’ field restricts access for that user to the subtree rooted at the given named view.
createUser test_user SHA pass1234
4.8.Log in to Clish.
4.9.Start the SNMP Agent from Clish:
HostName> set snmp agent on
HostName> save config
4.10.Log in to Expert mode.
4.11.Test the new SNMPv3 user:
[[email protected]]# snmpget -v 3 -u <username> -n “” -l authNoPriv -a SHA -A <password> localhost sysUpTime.0
[[email protected]]# snmpget -v 3 -u test_user -n “” -l authNoPriv -a SHA -A pass1234 localhost sysUpTime.0
5. Restart your snmp daemon:
For SPLAT OS, please refer following post:
[[email protected]]# snmp user del public [[email protected]]# snmp user add authuser Nagios pass complexpassphrase priv privatepass [[email protected]]# snmp service enable