This article applies to PRTG Network Monitor 16.3.25 or later
Monitoring Check Point Firewalls
While PRTG provides a couple of sensors that work with Check Point firewalls by default, for example the SNMP Traffic sensor and the SNMP System Uptime sensor, you may be looking for more detailed and specific metrics/sensors.
Adding Custom Sensors using the Auto-Discovery + Template
You can use the device template that we provide below to automatically create custom sensors with the PRTG auto-discovery.
The metrics that are available can vary. The sensors can monitor the following if the data is available:
- Fans
- HA Status
- Temperatures
- Voltages
- VPN Encryption Counters
- Encrypted Packets
- Decrypted Packets
- VPN Tunnels
The device template creates the available and compatible sensors based on the data at hand. The sensors implement default alerts whenever possible, but you can still fine-tune most channels by defining additional limits in the sensor channels settings or modifying the lookups included by default.
Requirements
- PRTG Network Monitor 16.3.25 or later
- Because the device template relies on the auto-discovery process, the device you want to monitor needs to be reachable via PING.
- SNMP must be enabled and the device must support the CHECKPOINT-MIB.
Known Issues and Limitations
- When more VPN Tunnels are created, re-run the discovery to monitor these. You can also use the Auto-Discovery schedule for this.
- If a VPN Tunnel is renamed, the corresponding sensor will fail. Either update the name in the sensor's settings or delete the sensor and run a new auto-discovery with the template.
- PRTG shows the alerts as reported by the monitored device via SNMP using lookups. If the status is not reported correctly via SNMP, PRTG cannot detect any issues. For additional alerts, please set up limits for additional channels.
- This device template was created based on data collected from other customers, so we cannot guarantee that the sensors described above will work on your systems. Use these components at your own risk. Please test and validate the sensors in your environment after deploying them.
Deployment and Usage
- Download the required zip archive containing the template's files here.
- Extract the archive to your PRTG program directory. By default, this is %Program Files (x86)%\PRTG Network Monitor\.
- In PRTG, restart the core server: open Setup | System Administration | Administrative Tools | Restart Core Server and click Go!. This ensures that the MIB and lookups are loaded before you run the auto-discovery.
- Create a new device in PRTG with the address (IP or FQDN) of the device that you want to monitor and configure the SNMP credentials accordingly.
- Right-click your new device, select Run Auto Discovery with Template, browse for check point health and select the Custom Check Point Health v0.x template from the list.
Note: Using the auto-discovery with a dedicated device template is convenient here because it automates the creation of the custom sensors in an organized fashion.
- The sensors are deployed after a couple of seconds.
- You can adjust the channel limits or lookups to your needs later.
Result
The resulting sensors look like this:
Sensor's Overview
Click for full-screen view
Click for full-screen view
Device's Overview
Click for full-screen view
No sensors deployed? :(
Please read ahead for troubleshooting.
Troubleshooting
Have any issues? Please don't hesitate to contact us by replying to this post or via a support ticket. Please make sure to mention this KB post. Please read ahead for troubleshooting steps that you can take in advance.
Auto-Discovery Log
Your auto-discovery log tells you a lot about what went wrong during the sensor's deployment. You can troubleshoot the auto-discovery by inspecting the auto-discovery log. If you get entries like the one below (NOT FOUND), it means that the required protocol or Object Identifier (OID) is not available and the sensors can't be deployed.
[...]
21.08.2017 09:17:17: Template Loaded; Device ID: 22848; Name: Custom Check Point Health v0.4
21.08.2017 09:17:18: Template Check; Device ID: 22848; Check ID: ping; FOUND
21.08.2017 09:17:19: Template Check; Device ID: 22848; Check ID: snmp; FOUND
21.08.2017 09:17:20: Template Check; Device ID: 22848; Check ID: snmp_voltageSensorTable; NOT FOUND
[...]
In the example above, some sensors were skipped because the device did not respond to the snmp_voltageSensorTable check. This means that this data is probably not available on your device. You can track this data by looking for the name after snmp_. In this case, a search for voltageSensorTable will tell you what OID from what MIB is missing.
You can also use this log to identify if the discovery was interrupted because the device did not respond to PING or to a basic SNMP check.
SNMP Data
If the discovery log is not sufficient, you can review the SNMP data directly from your device. To do so, save the text below (in the white box) as .txt and use it with the Scan Script option in our SNMP Tester. This will allow you to review which SNMP queries succeed and which do not deliver any data. Please have this information at hand when contacting our support team.
--------
Walk Default
--------
hrSystemUptime
walk=1.3.6.1.2.1.25.1.1
--------
MIB-2 System
walk=1.3.6.1.2.1.1
--------
Sensor Specific Queries
----
fanSpeedSensorTable
walk=1.3.6.1.4.1.2620.1.6.7.8.2
---
ha
walk=1.3.6.1.4.1.2620.1.5
---
tempertureSensorTable
walk=1.3.6.1.4.1.2620.1.6.7.8.1
---
cpvIpsecStatistics
walk=1.3.6.1.4.1.2620.1.2.5.4
---
tunnelTable
walk=1.3.6.1.4.1.2620.500.9002
---
voltageSensorTable
walk=1.3.6.1.4.1.2620.1.6.7.8.3
---
Version History
Version | Description |
0.1 | Test Version |
0.2 | Initial release |
0.4 | Added Voltage Sensors |
0.5 | Changed value type from Absolute to Flow for Fan Speed, required in newer software images |
Best Regards,
Luciano Lingnau [Paessler Support]
Add comment