What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Monitoring Check Point Firewalls with PRTG?

Votes:

0

Our organization runs a Check Point as Firewall/Router. Is there any way to obtain meaningful information from the appliance using PRTG? Are there built-in sensors I can use?

This device's operation is very sensitive for my organization and we want to have additional monitoring so that we are alerted as soon as anything goes wrong.

What are my options? I've attempted to use the MIB but had a hard time importing it and deploying any sensors. Assistance is appreciated.

check-point checkpoint firewall health monitoring paetemplate snmp template

Created on Oct 12, 2017 12:32:03 PM by Luciano Lingnau [Paessler]

Last change on Oct 25, 2017 8:10:01 AM by Luciano Lingnau [Paessler]



1 Reply

Accepted Answer

Votes:

2

This article applies to PRTG Network Monitor 16.3.25 or later

Monitoring Check Point Firewalls

While PRTG provides a couple of sensors that work with Check Point firewalls by default, for example the SNMP Traffic sensor and the SNMP System Uptime sensor, you may be looking for more detailed and specific metrics/sensors.

Adding Custom Sensors using the Auto-Discovery + Template

You can use the device template that we provide below to automatically create custom sensors with the PRTG auto-discovery.

The metrics that are available can vary. The sensors can monitor the following if the data is available:

  • Fans
    • Status
    • Speed
  • HA Status
    • Status
  • Temperatures
    • Status
    • Value (Reading)
  • Voltages
    • Status
    • Value (Reading)
  • VPN Encryption Counters
    • Encrypted Packets
    • Decrypted Packets
  • VPN Tunnels
    • State
    • Probe State

The device template creates the available and compatible sensors based on the data at hand. The sensors implement default alerts whenever possible, but you can still fine-tune most channels by defining additional limits in the sensor channels settings or modifying the lookups included by default.

Requirements

  • PRTG Network Monitor 16.3.25 or later
  • Because the device template relies on the auto-discovery process, the device you want to monitor needs to be reachable via PING.
  • SNMP must be enabled and the device must support the CHECKPOINT-MIB.

Known Issues and Limitations

  • When more VPN Tunnels are created, re-run the discovery to monitor these. You can also use the Auto-Discovery schedule for this.
  • If a VPN Tunnel is renamed, the corresponding sensor will fail. Either update the name in the sensor's settings or delete the sensor and run a new auto-discovery with the template.
  • PRTG shows the alerts as reported by the monitored device via SNMP using lookups. If the status is not reported correctly via SNMP, PRTG cannot detect any issues. For additional alerts, please set up limits for additional channels.
  • This device template was created based on data collected from other customers, so we cannot guarantee that the sensors described above will work on your systems. Use these components at your own risk. Please test and validate the sensors in your environment after deploying them.

Deployment and Usage

  1. Download the required zip archive containing the template's files here.
  2. Extract the archive to your PRTG program directory. By default, this is %Program Files (x86)%\PRTG Network Monitor\.
  3. In PRTG, restart the core server: open Setup | System Administration | Administrative Tools | Restart Core Server and click Go!. This ensures that the MIB and lookups are loaded before you run the auto-discovery.
  4. Create a new device in PRTG with the address (IP or FQDN) of the device that you want to monitor and configure the SNMP credentials accordingly.
  5. Right-click your new device, select Run Auto Discovery with Template, browse for check point health and select the Custom Check Point Health v0.x template from the list.
    Note: Using the auto-discovery with a dedicated device template is convenient here because it automates the creation of the custom sensors in an organized fashion.
  6. The sensors are deployed after a couple of seconds.
  7. You can adjust the channel limits or lookups to your needs later.

Result

The resulting sensors look like this:

Sensor's Overview

AP Sensor's Overview

Click for full-screen view

SSID Sensor's Overview

Click for full-screen view

Device's Overview

Device's Overview

Click for full-screen view

No sensors deployed? :(
Please read ahead for troubleshooting.

Troubleshooting

Have any issues? Please don't hesitate to contact us by replying to this post or via a support ticket. Please make sure to mention this KB post. Please read ahead for troubleshooting steps that you can take in advance.

Auto-Discovery Log

Your auto-discovery log tells you a lot about what went wrong during the sensor's deployment. You can troubleshoot the auto-discovery by inspecting the auto-discovery log. If you get entries like the one below (NOT FOUND), it means that the required protocol or Object Identifier (OID) is not available and the sensors can't be deployed.

[...]
21.08.2017 09:17:17: Template Loaded; Device ID: 22848; Name: Custom Check Point Health v0.4
21.08.2017 09:17:18: Template Check; Device ID: 22848; Check ID: ping; FOUND
21.08.2017 09:17:19: Template Check; Device ID: 22848; Check ID: snmp; FOUND
21.08.2017 09:17:20: Template Check; Device ID: 22848; Check ID: snmp_voltageSensorTable; NOT FOUND
[...]

In the example above, some sensors were skipped because the device did not respond to the snmp_voltageSensorTable check. This means that this data is probably not available on your device. You can track this data by looking for the name after snmp_. In this case, a search for voltageSensorTable will tell you what OID from what MIB is missing.

You can also use this log to identify if the discovery was interrupted because the device did not respond to PING or to a basic SNMP check.

SNMP Data

If the discovery log is not sufficient, you can review the SNMP data directly from your device. To do so, save the text below (in the white box) as .txt and use it with the Scan Script option in our SNMP Tester. This will allow you to review which SNMP queries succeed and which do not deliver any data. Please have this information at hand when contacting our support team. 

--------
Walk Default
--------
hrSystemUptime
walk=1.3.6.1.2.1.25.1.1
--------
MIB-2 System
walk=1.3.6.1.2.1.1
--------
Sensor Specific Queries
----
fanSpeedSensorTable
walk=1.3.6.1.4.1.2620.1.6.7.8.2
---
ha
walk=1.3.6.1.4.1.2620.1.5
---
tempertureSensorTable
walk=1.3.6.1.4.1.2620.1.6.7.8.1
---
cpvIpsecStatistics
walk=1.3.6.1.4.1.2620.1.2.5.4
---
tunnelTable
walk=1.3.6.1.4.1.2620.500.9002
---
voltageSensorTable
walk=1.3.6.1.4.1.2620.1.6.7.8.3
---

Version History

VersionDescription
0.1Test Version
0.2Initial release
0.4Added Voltage Sensors
0.5Changed value type from Absolute to Flow for Fan Speed, required in newer software images



Best Regards,
Luciano Lingnau [Paessler Support]

Created on Oct 12, 2017 12:32:52 PM by Luciano Lingnau [Paessler]

Last change on Jul 26, 2021 11:19:56 AM by Maike Guba [Paessler Support] (2,404) 2 1




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.