vineri, 31 mai 2013

WMIC Samples

As promised, here are the sample WMIC commands I demonstrated in the Automating Windows Server 2003 session yesterday evening in Reading. Hope they are useful to you.
Update static IP addresswmic nicconfig where index=9 call enablestatic("192.168.16.4"), ("255.255.255.0")

Change network gatewaywmic nicconfig where index=9 call setgateways("192.168.16.4", "192.168.16.5"),(1,2)

Enable DHCPwmic nicconfig where index=9 call enabledhcp

Service Managementwmic service where caption="DHCP Client" call changestartmode "Disabled"

Start an applicationwmic process call create "calc.exe"

Terminate an applicationwmic process where name="calc.exe" call terminate

Change process prioritywmic process where name="explorer.exe" call setpriority 64

Get list of process identifierswmic process where (Name='svchost.exe') get name,processid

Information about harddriveswmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber

Information about oswmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory /format:htable > c:\osinfo.htm

Information about fileswmic path cim_datafile where "Path='\\windows\\system32\\wbem\\' and FileSize>1784088" > c:\wbemfiles.txt

Process listwmic process get /format:htable > c:\process.htm

Retrieve list of warning and error events not from system or security logsWMIC NTEVENT WHERE "EventType<3 AND LogFile != 'System' AND LogFile != 'Security'" GET LogFile, SourceName, EventType, Message, TimeGenerated /FORMAT:"htable.xsl":" datatype = number":" sortby = EventType" > c:\appevent.htm

How to Reset the Local Administrator Password on Multiple Computers Remotely

Still on a Server 2003 domain I have no GPP option.
Took me a bit to get the syntax correct. Got mine to work like this:
C:\1\pstools>pspasswd.exe @computers2.txt administrator 123xyz
Worked on my Windows 7 machines too.
It opened a command window, I watched as it hit each machine, watched success & failures.

Useful commands

Useful commands


for Windows administrators


Managing a Windows 2000 Active Directory with about 100 servers, over 1500 computers and 35 sites, the following commands often helped me answer questions or solve problems.
Most commands are "one-liners", but for some I had to make an exception and go to the right directory first.

These commands could all be used in batch files, though some may need some "parsing" with FOR /F to retrieve only the required substrings from the displayed information.



Notes: (1) Commands that use external, or third party, or non-native utilities contain hyperlinks to these utilities' download sites.
(2) Replace command arguments displayed in italics with your own values.
(3) Commands or utilities that require Windows Server 2003 are marked bright blue.
Warning: Most commands on this page are very powerful tools.
Like most powerful tools they could cause a lot of damage in the hands of insufficiently skilled users.
Treat these commands like you would (or should) treat a chainsaw: with utmost care. Do not use them if you do not fully understand what they do or how they do it.
Any damage caused using these commands is completely your own responsibility.









How many users are logged on/connected to a server?


Sometimes we may need to know how many users are logged on to a (file) server, like maybe when there is a performance degradation.
At the server's console itself, with native commands only:
 NET SESSION | FIND /C "\\"

Remotely, with the help of SysInternals' PSTools:
 PSEXEC \\servername NET SESSION | FIND /C "\\"

By replacing FIND /C "\\" by FIND "\\" (removing the /C switch) you'll get a list of logged on users instead of just the number of users.






Who is logged on to a computer?


We often need to know who is currently logged on to a remote computer.
With native Windows (up to and including XP) commands only:
 NBTSTAT -a remotecomputer | FIND "<03>" | FIND /I /V "remotecomputer"

The first name in the list usually is the logged on user (try playing with the NET NAME command to learn more about the names displayed by NBTSTAT).
This is the fastest way to find the logged on user name, and the results that you do get are correct, but NBTSTAT won't always return a user name, even when a user is logged on.

Using WMIC (Windows XP Professional and later):
 WMIC /Node:remotecomputer ComputerSystem Get UserName

This is arguably the most reliable (native) command to find out who is logged on.

With the help of SysInternals' PSTools:
 PSLOGGEDON -L \\remotecomputer

or:
 PSEXEC \\remotecomputer NET CONFIG WORKSTATION | FIND /I " name "

or:
 PSEXEC \\remotecomputer NET NAME

or for Windows XP only:
 PSEXEC \\remotecomputer NETSH DIAG SHOW COMPUTER /V | FIND /i "username"

Using REG.EXE (Windows 2000 and later):
 FOR /F %%A IN ('REG Query \\remotecomputer\HKU ˆ| FINDSTR /R /B /C:"HKEY_USERS\\S-1-5-[0-9][0-9]-[0-9-]*$"') DO (
  FOR /F "tokens=3 delims=\" %%B IN ('REG Query "\\remotecomputer\%%A\Volatile Environment"') DO (
   SET LoggedinUser=%%B
  )
 )

or for Windows 7:
 FOR /F %%A IN ('REG Query \\remotecomputer\HKU /K /F "S-1-5-21-" ˆ| FINDSTR /R /B /C:"HKEY_USERS\\S-1-5-[0-9][0-9]-[0-9-]*$"') DO (') DO (
  FOR /F "tokens=2*" %%B IN ('REG Query "\\remotecomputer\%%~A\Volatile Environment" /V "UserName" ˆ| FIND /V ":"') DO (
   SET LoggedinUser=%%C
  )
 )

NETSH and WMIC are for XP or later, and are the most reliable of all commands shown here.
WMIC requires WMI enabled remote computers and Windows XP on the administrator's computer; NETSH requires Windows XP on the local and remote computers.

PSLOGGEDON is a more accurate solution than NBTSTAT, but it will return the last logged on user if no one is currently logged on.

The NET and NBTSTAT commands show more or less identical results, but the NBTSTAT command is much faster.

The REG command is accurate, but may need to be modified depending on the version used.
More information on REG versions can be found on my REG Query page.

For Windows NT 4 and 2000: use NBTSTAT (fast, but it won't always return the user name!), and only switch to REG if NBTSTAT doesn't return a user name (modify the REG command for Windows NT 4).
For Windows XP and later: if you want to search lots of computers for logged on users, I recommend you try NBTSTAT first (fast, but it won't always return the user name!), and only switch to NETSH, REG or WMIC (accurate) if NBTSTAT doesn't return a user name.

Credits: Jiří Janyška (WMIC command) and Matthew W. Helton (NETSH command).






What is this collegue's login name?


My collegues often forget to mention their logon account name when calling the helpdesk, and the helpdesk doesn't always ask either. I suppose they expect me to know all 1500+ accounts by heart.
With (native) Windows Server 2003 commands only:
 DSQUERY USER -name *lastname* | DSGET USER -samid -display

Note: Windows Server 2003's "DSTools" will work fine in Windows 2000 and XP too, when copied.
Keep in mind, however, that some Windows Server 2003 Active Directory functionality is not available in Windows 2000 Active Directories.






What is the full name for this login name?


With the native NET command:
 NET USER loginname /DOMAIN | FIND /I " name "

With (native) Windows Server 2003 commands:
 DSQUERY USER -samid *loginname* | DSGET USER -samid -display

Note: The NET command may seem more universal, because it requires neither Active Directory nor Windows Server 2003 commands, but it is language dependent!
For non-English Windows you may need to modify FIND's search string.






What groups is this user a member of?


In Windows NT 4 and later, users usually are members of global groups. These global groups in turn are members of (domain) local groups. Access permissions are given to (domain) local groups.
To check if a user has access to a resource, we need to check group membership recursively.
With (native) Windows Server 2003 commands:
 DSQUERY USER -samid loginname | DSGET USER -memberof -expand






What permissions does a user have on this directory?


One could use the previous command to check what permissions a user has on a certain directory.
However, sometimes SHOWACLS from the Windows Server 2003 Resource Kit Tools is a better alternative:
 CD /D d:\directory2check
 SHOWACLS /U:domain\userid






When did someone last change his password?


With the native NET command:
 NET USER loginname /DOMAIN | FIND /I "Password last set"






How do I reset someone's password?


With the native NET command:
 NET USER loginname newpassword /DOMAIN

With (native) Windows Server 2003 commands:
 DSQUERY USER -samid loginname | DSMOD USER -pwd newpassword

Note: To prevent the new password from being displayed on screen replace it with an asterisk (*); you will then be prompted (twice) to type the new password "blindly".






Is someone's account locked?


With the native NET command:
 NET USER loginname /DOMAIN | FIND /I "Account active"

The account is either locked ("Locked") or active ("Yes").






How to unlock a locked account


With the native NET command:
 NET USER loginname /DOMAIN /ACTIVE:YES

or, if the password needs to be reset as well:
 NET USER loginname newpassword /DOMAIN /ACTIVE:YES






Make sure a local user's password never expires


With WMIC (Windows XP Professional or later):
 WMIC.EXE /Node:remotecomputer Path Win32_UserAccount Where Name="user" Set PasswordExpires="FALSE"






Make sure a local user's password will expire


With WMIC (Windows XP Professional or later):
 WMIC.EXE /Node:remotecomputer Path Win32_UserAccount Where Name="user" Set PasswordExpires="TRUE"






List all domains and workgroups in the network


With the native NET command:
 NET VIEW /DOMAIN






List all computers in the network


With the native NET command:
 NET VIEW

or, to list the names only:
 FOR /F "skip=3 delims=\  " %%A IN ('NET VIEW') DO ECHO.%%A

delims is a backslash, followed by a tab and a space.






List all domain controllers


With native Windows 2000 commands:
 NETDOM QUERY /D:MyDomain DC

NETDOM is part of the support tools found in the \SUPPORT directory of the Windows 2000 installation CDROM.

With (native) Windows Server 2003 commands (Active Directory only):
 DSQUERY Server

or, if you prefer host names only (tip by Jim Christian Flatin):
 DSQUERY Server -o rdn






Find the primary domain controller


With native Windows 2000 commands:
 NETDOM QUERY /D:MyDomain PDC

or, to find the FSMO with (native) Windows Server 2003 commands (Active Directory only):
 NETDOM QUERY /D:mydomain.com FSMO

NETDOM is part of the support tools found in the \SUPPORT directory of the Windows 2000 installation CDROM.






List all member servers


With native Windows 2000 commands:
 NETDOM QUERY /D:MyDomain SERVER

NETDOM is part of the support tools found in the \SUPPORT directory of the Windows 2000 installation CDROM.






List all workstations


With native Windows 2000 commands:
 NETDOM QUERY /D:MyDomain WORKSTATION

NETDOM is part of the support tools found in the \SUPPORT directory of the Windows 2000 installation CDROM.






Delete a computer account


With native Windows 2000 commands:
 NETDOM /DOMAIN:MyDomain MEMBER \\computer2Bdeleted /DELETE

NETDOM is part of the support tools found in the \SUPPORT directory of the Windows 2000 installation CDROM.






"I need an up-to-date list of disk space usage for all servers, on my desk in 5 minutes"


Sounds familiar?

With (native) Windows XP Professional or Windows Server 2003 commands:
 FOR /F %%A IN (servers.txt) DO (
  WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv | MORE /E +2 >> SRVSPACE.CSV
 )

The only prerequisites are:

  1. SRVSPACE.CSV should not exist or be empty,
  2. a list of server names in a file named SERVERS.TXT, one server name on each line,
  3. and WMIC.EXE, which is native in Windows XP Professional and later.

The CSV file format is ServerName,DeviceID,FileSystem,FreeSpace,Size (one line for each harddisk partition on each server).

If you have a strict server naming convention, SERVERS.TXT itself can be generated with the NET command:
 FOR /F "delims=\  " %%A IN ('NET VIEW ^| FINDSTR /R /B /C:"\\\\SRV\-"') DO (>>SERVERS.TXT ECHO.%%A)

Notes: (1) assuming server names start with "SRV-"; modify to match your own naming convention.
(2) delims is a backslash, followed by a tab and a space.






List all drivers on any PC


With (native) Windows XP Professional or Windows Server 2003 commands:
 DRIVERQUERY /V /FO CSV > %ComputerName%.csv

Or, for remote computers:
 DRIVERQUERY /S remote_PC /V /FO CSV > remote_PC.csv






List all printers on any PC


With (native) Windows XP+ commands:
 WMIC /Node:remote_PC Path Win32_Printer Get DeviceID






List all local administrators


With (native) Windows NT 4+ commands:
 NET LOCALGROUP Administrators

Or, to remove header and footer lines:
 FOR /F "delims=[]" %%A IN ('NET LOCALGROUP Administrators ˆ| FIND /N "----"') DO SET HeaderLines=%%A
 FOR /F "tokens=*"  %%A IN ('NET LOCALGROUP Administrators') DO SET FooterLine=%%A
 NET LOCALGROUP Administrators | MORE /E +%HeaderLines% | FIND /V "%FooterLine%"






Locate rogue DHCP servers


Never had an "illegal" router wreaking havoc on your network yet...?

With a (native) Windows Server 2003 command:
 DHCPLOC -p local_IP_address [ valid_DHCP_server1 [ valid_DHCP_server2 [ .. ] ] ]

DHCPLOC.EXE is native in Windows Server 2003, and will run in Windows XP if copied/installed.
I didn't test this in Windows Server 2003 yet, but in Windows XP you need to press "d" to start the discovery, or "q" to quit.






Disable Windows Firewall for domain only


Disable the firewall only when the computer (e.g. a laptop) is connected to the domain:
 NETSH Firewall Set OpMode Mode = DISABLE Profile = DOMAIN






Completely disable Windows Firewall (not recommended)


Disable the firewall comletely (not recommended unless an alternative enterprise firewall is used that requires you to do so):
 SC [ \\Remote_computer ] Stop SharedAccess
 SC [ \\Remote_computer ] Config SharedAccess start= disabled






Is IP v4 supported on this computer?


Check if IP v4 is supported on the local computer:
 PING 127.0.0.1 | FIND "TTL=" >NUL 2>&1
 IF ERRORLEVEL 1 (ECHO IP v4 NOT supported) ELSE (IP v4 supported)

or:
 WMIC Path Win32_PingStatus WHERE "Address='127.0.0.1'" Get StatusCode /Format:Value | FINDSTR /X "StatusCode=0" >NUL 2>&1
 IF ERRORLEVEL 1 (ECHO IP v4 NOT supported) ELSE (IP v4 supported)

The WMIC command is faster, but requires Windows XP Professional or later.






Is IP v6 supported on this computer?


Check if IP v6 is supported on the local computer:
 PING ::1 | FINDSTR /R /C:"::1:[ˆ$]" >NUL 2>&1
 IF ERRORLEVEL 1 (ECHO IP v6 NOT supported) ELSE (IP v6 supported)

or:
 WMIC Path Win32_PingStatus WHERE "Address='::1'" Get StatusCode >NUL 2>&1
 IF ERRORLEVEL 1 (ECHO IP v6 NOT supported) ELSE (IP v6 supported)

The WMIC command is faster, but requires Windows XP Professional or later.






Which updates were installed on this compter?


Windows 7 and 8:
 DISM /Online /Get-Packages

or:
 WMIC QFE List



DISM will return far more details than WMIC.



Windows 2000 and XP:
 QFECHECK /V

Using a Command Line to Uninstall Software on Remote PCs

WMIC (Windows Management Instrumentation Command-Line) is a potent tool that often doesn't see much use due to the lack of (easily accessible) documentation available. More information can be found on WMIC here: http://technet.microsoft.com/en-us/library/bb742610.aspx. Some great switches and alternate options can be found here: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/wmic_overview.mspx. We’ll be using WMIC with domain admin credentials to crawl through a list of nodes (PCs/Laptops) and uninstall an example program without interrupting the user.
1.

Step into WMIC

One of the nice features of WMIC is that it may be run from any machine. With our admin command shell, we're going to enter the wmic command followed by enter. (Note: We could have jumped into WMIC directly from the runas command... this just breaks out the steps)

Wmiccommand_big
2.

Load up a command shell with appropriate access permissions

Though a WMIC instruction can be given appropriate credentials prior to operation, it is typically best-practice to avoid clear-text typing the password (who is that looking over your shoulder;)). We’ll execute the runas command like the following:
Runas /user:DomainAdminAccount@DOMAIN cmd
… which will prompt us for the credentials of our DomainAdminAccount. If authenticated, we’ll be handed a command shell running as the Admin.

Opencmdadminprompt_big
3.

Verify Program Installation (an optional informative step)

With our WMIC prompt, we can ask many questions of a node (or nodes) and receive some nicely formatted replies. Though formatting the replies is beyond the scope of this "How To", much more information can be found on the internet.
So let's find out if a particular node even has our target software (Spiceworks does attempt to list this information in its software scan)
>/node:COMPUTERNAME product get name,version,vendor
This command asks WMI to reply with a list including the Name, Version, and Vendor of all compliant software installations.
If you would like to filter for a specific product, you may do so. Here's an example scanning a networked machine for all installed applications from the vendor "Apple, Inc"
>/node:ANOTHEREXAMPLE product where vendor="Apple Inc." get name,vendor
(*Note from Anders4221:
A small hint if you have special characters like '-' or '/' in the computer name you need to use ' ' characters in order to get information from client)
(**Note from Joe3034:
Here is how you use wildcards in your search:
Surround the like phrase in double quotes and your search criteria in single quotes, and use % as the wildcard symbol.
e.g.:
/node:ComputerXYZ product where "vendor like 'adobe%'" get name,version,identifyingNumber )
Vendorexample_big
4.

Call for the Uninstallation

So we can make a call to the WMI interface to uninstall a particular product... let's pick on the MobileMe Control Panel from our previous example. The command:
>/node:EXAMPLE product where name="MobileMe Control Panel" call uninstall
... will prompt you for confirmation in the following (long) format:
Execute (\\EXAMPLE\ROOT\CIMV2:Win32_Product.IdentifyingNumber="{6DA9102E-199F-43A0-A36B-6EF48081A658}",Name="MobileMe Control Panel",Version="2.1.0.24")->Uninstall() (Y/N/?)?
.. to which you must reply 'y' if you wish to uninstall. WMI compliant software will run the default uninstalation procedures without the user needing to do anything (they receive no prompts etc).
**Note that you may also use the
/nointeractive flag like /node:EXAMPLE product where name="MobileMe Control Panel" call uninstall /nointeractive to prevent the confirmation request!
-thx Bart2691
Mobilemeuninstalled_big
5.

Call Uninstall for a List of Machines (an optional informative step)

Let's assume you just got word that Adobe Reader has a serious flaw in it's old version. In a panic, you asked all your users to blindly install the new version of Adobe reader straight from Adobe's site. Thankfully, they all managed to do so... however you've received 3 tickets so far about an Acrobat.com icon on the desktop.
You have a flat text file of all your computer's names stored in c:\computers.txt. You pop open a WMIC shell with appropriate permissions and enter the following command:
>/failfast:on /node:@"c:\computers.txt" product where name="Acrobat.com" call uninstall /nointeractive
Which iterates through your list, skipping nodes that are invalid (eg:machine is turned off) and those that don't meet the criteria. You'll need to confirm 'y' that you want to uninstall on every node unless you use the nointeractive flag.
* Updated Note from Bart2691
... an easy way to automate answering 'Yes'. Examples for doing it by PC or a text file is to use the /nointeractive flag. Additionally, if you don't wish to hang on failed nodes, use the /failfast:on flag to quickly skip a node that isn't responding.
** note from true911 (unconfirmed)
The correct flag is failfast:on, not fastfail:on
wmic /failfast:on /node:@"FILENAME.txt" product where "name like 'microsoft office professional edition 2003'" call uninstall /nointeractive

Conclusion

Hopefully you've been intrigued by the potency of WMIC. Though the command-line use of the uninstall call may not be commonly needed with software management tools, AD, etc... it can sometimes be the best way to accomplish a task quickly without disturbing your user(s).
Let's hope spiceworks takes its WMI implementation a step further in a future release and automates this for us;)

joi, 23 mai 2013

SNMP on SPLAT - any HOWTO?

    1. Hi all!

      Do you know any existing SNMP How To documents?

      CP documentation is weird (as usual), and I have to do some basic configurations (like enabling RO community) in a short time.

      Thanks for your answers.
    1. -------------
      Sincerely,
      Valeri Loukine
      CCMA-0019
      http://checkpoint-master-architect.blogspot.com/

  1. #2
    cciesec2006 is offline Senior Member
    Join Date
    2006-09-26
    Posts
    2,142
    Rep Power
    9

    Default Re: SNMP on SPLAT - any HOWTO?

    Quote Originally Posted by varera View Post
    Hi all!

    Do you know any existing SNMP How To documents?

    CP documentation is weird (as usual), and I have to do some basic configurations (like enabling RO community) in a short time.

    Thanks for your answers.
    step 1: service snmpd restart
    step 2: edit /etc/snmp/snmpd.users.conf and replace public with your actual
    snmp community string
    step 3: service snmpd restart
    step 4: netstat -an | grep 161

    for checkpoint snmpd port 260:

    step 1: modify the $FWDIR/conf/snmp.C file and place the actual snmp
    community inside the read and write (). If you leave the write empty,
    it will use "private" as the community string. This is a security risk.

    step 2: run sysconfig and start the checkpoint snmpd extension

    step 3: perform cpstop;cpstart

    step 4: netstat -an | grep 260

    now you should have both snmp and checkpoint snmpd daemon running on the box.

    Easy right?

  2. #3
    melipla is offline Senior Member
    Join Date
    2006-01-25
    Posts
    1,370
    Rep Power
    9

    Default Re: SNMP on SPLAT - any HOWTO?

    Quote Originally Posted by cciesec2006 View Post
    Easy right?
    Is there any benefit to having both snmpd's running?
    Its all in the documentation.

  3. #4
    cciesec2006 is offline Senior Member
    Join Date
    2006-09-26
    Posts
    2,142
    Rep Power
    9

    Default Re: SNMP on SPLAT - any HOWTO?

    Quote Originally Posted by melipla View Post
    Is there any benefit to having both snmpd's running?
    with checkpoint snmpd running, you can collect the number of active
    connections in checkpoint tables like "fw tab -s -t connections" and other
    things. I don't think you can get this value with regular snmp

  4. #5
    dsb.nepo is offline Senior Member
    Join Date
    2006-04-30
    Location
    Europe, Germany
    Posts
    419
    Rep Power
    8

    Default Re: SNMP on SPLAT - any HOWTO?

    step 1: modify the $FWDIR/conf/snmp.C file and place the actual snmp
    community inside the read and write ().
    This can also be set at the object in SmartDashboard.

  5. #6
    cciesec2006 is offline Senior Member
    Join Date
    2006-09-26
    Posts
    2,142
    Rep Power
    9

    Default Re: SNMP on SPLAT - any HOWTO?

    Quote Originally Posted by dsb.nepo View Post
    This can also be set at the object in SmartDashboard.
    Are you sure about this? I saw that option but it uses port 161 instead
    of port 260. I verified it with tcpdump

  6. #7
    dsb.nepo is offline Senior Member
    Join Date
    2006-04-30
    Location
    Europe, Germany
    Posts
    419
    Rep Power
    8

    Default Re: SNMP on SPLAT - any HOWTO?

    Are you sure about this? I saw that option but it uses port 161 instead
    of port 260. I verified it with tcpdump
    Sorry for the false information my fault.
    You are right, to access the CP mib the file $FWDIR/conf/snmp.C shoud be configured.
    Information from the dialog are from the system mib.

    Is there any benefit to having both snmpd's running?
    Yes, so you can monitor both
    - HD space/CPU/memory/traffice ... (system values)
    - accepted/dropped/rejected packets, cp states ... (CP values)

  7. #8
    boldin is offline Senior Member
    Join Date
    2008-11-22
    Location
    Atlanta, GA
    Posts
    553
    Rep Power
    5

    Default Re: SNMP on SPLAT - any HOWTO?

    So, I've gathered the steps necessary to get SNMP monitoring working properly with our monitor system and it tested successfully with our test box.

    However, I'm looking for some scripting help (I know this may not be the right thread or area, but it's as good as any I guess), since I'm a total newb to scripting...

    Is there a way to setup a script that will perform the following:
    1. SSH to device1
    2. change to expert
    3. Edit /etc/snmp/snmpd.conf to include my read-only community strings and IP's at the appropriate area of the file (always by adding lines after the line that says "master agentx").
    4. enable snmp service on 161
    6. perform a cpstop
    7. perform a cpstart
    8. send an smtp relay to an email address stating that it was successful.
    9. Loop previous steps to remaining device2, device3..., approximately 60 devices, then smtp relay again upon completion of all devices.
    <end>

    Thanks in advance...

  8. #9
    lammbo is offline Senior Member
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,184
    Rep Power
    9

    Default Re: SNMP on SPLAT - any HOWTO?

    Does anyone have any recommendations on what to dump these to?

    I have a Cacti server for snmp I use on with my perimeter routers and HP System Insight Manager for my windows servers.

    My guess would be Cacti, do they have mibs for this so the collected data would be useful? (sorry, snmp is a weak area for me so I only know just enough to be dangerous ;D)
    There's no place like 127.0.0.1

  9. #10
    boldin is offline Senior Member
    Join Date
    2008-11-22
    Location
    Atlanta, GA
    Posts
    553
    Rep Power
    5

    Default Re: SNMP on SPLAT - any HOWTO?

    There are two types of Check Point SNMP. One is the standard SNMP collected over port 161. This shouldn't require any special configuration or setup on the SNMP management system.

    The other type is Check Point SNMP on port 260. This would require the MIB's to be imported into the management system.

    The steps on SPLAT that I took to configure the SPLAT devices are as follows:

    1. Log into system via ssh.

    2. Change to Expert Mode.

    3. Edit the /etc/snmp/snmpd.conf file:

    a. Scroll to just past the “Master Agentx” line, and start a blank line, typing “a” (if using vi) to go to “append” mode.

    b. Add the following lines in format (“rocommunity” = read only community; <community string>; <IP Address of Monitoring System>) and note that it's my understanding that Check Point does not allow the management system to write/change configs via SNMP:

    rocommunity string x.x.x.x

    c. Save and exit the file.

    4. Run the chkconfig commands as described below, to make the daemon persistent across reboot (still unsure about this part of my list, but I did it anyway and I haven't experienced any problems yet):

    chkconfig --add snmpd
    chkconfig --level 345 snmpd on

    5. Enable the snmp service by using this command, it will notify you upon success by giving you another prompt:

    snmp service enable 161

    6. 'snmp service stat' will verify that the service is running and on which port (successful response should be “SNMP service enabled and listening on port 161.”). Alternatively, you can run a netstat –an | grep 161 to verify (successful response should be “udp 0 0 0.0.0.0:161 0.0.0.0:*”).

    Hope this helps...

  10. #11
    dsb.nepo is offline Senior Member
    Join Date
    2006-04-30
    Location
    Europe, Germany
    Posts
    419
    Rep Power
    8

    Default Re: SNMP on SPLAT - any HOWTO?

    @boldin
    I don't think you can script the expert part, but it can be done if you have direct expert access via ssh.
    You can write then a script(1) which transfer another script(2) that does the config at the gateway and call this from the machine which runs script(1).
    I have no working solution for you available but I use this methode to configure/update most of my *NIX machines.

    @lammbo
    if you are running splat you can use the 'Generic SNMP host' to graph
    - CPU
    - load
    - process
    - memory
    - mounted partitions
    - interfaces

    There is also a cacti template which covers
    - Checkpoint - Connections
    - Checkpoint - Packets accepted
    - Checkpoint - Packets dropped
    - Checkpoint - Packets logged
    - Checkpoint - Packets rejected

    If you like send me a PM and I will send you my working cacti template.

  11. #12
    boldin is offline Senior Member
    Join Date
    2008-11-22
    Location
    Atlanta, GA
    Posts
    553
    Rep Power
    5

    Default Re: SNMP on SPLAT - any HOWTO?

    Well, we've gotten SNMP running on our devices, which I might add was rather quick and painless.

    However, we are now having trouble with importing the Check Point MIB's into our management systems.

    Any advice on Spectrum and/or eHealth Check Point Mib's?

    The other big problem is scheduling a cpstop and cpstart for over 50 devices around the world - I wish Check Point would have made this as easy as the standard SNMP stuff...

  12. #13
    boldin is offline Senior Member
    Join Date
    2008-11-22
    Location
    Atlanta, GA
    Posts
    553
    Rep Power
    5

    Default Re: SNMP on SPLAT - any HOWTO?

    Another update....

    Well, after I thought I had everything working fine, I've come to find out that one of two things is not happening correctly. Either the snmpd.conf file is incorrect (see below) and therefore not passing Check Point SNMP to the service running on port 260, or the Check Point SNMP service on 260 is configured incorrectly.

    It would appear that standard snmp is working fine.

    Here's what I have for /etc/snmp/snmpd.conf:
    ---------
    master agentx
    rocommunity <comm_string> 1.2.3.4
    rocommunity <comm_string> 2.3.4.1
    rocommunity <comm_string> 3.4.1.2
    rocommunity <comm_string> 4.1.2.3
    pass 1.3.6.1.4.1.2620 127.0.0.1:260

    <monitored stuff>
    ----------

    Here's what I have for /$FWDIR/conf/snmp.C:
    ----------
    (
    : (
    : (system.sysName.0
    :value (dns_name)
    )
    : (system.sysDescr.0
    :value ("Linux i386 vEL.3.0 Check Point FireWall-1 SecurePlatform")
    )
    : (system.sysContact.0
    :value ("Firewall Team")
    )
    : (system.sysLocation.0
    :value ("City - Function")
    )
    : (system.sysObjectID.0
    :value (".1.3.6.1.4.1.2620.1.1")
    )
    )
    :snmp_community (
    :read (ro_comm_string)
    :write (rw_comm_string)
    )
    )
    ----------

    Here's output from snmpwalks:
    [Expert@dns_name]# snmpwalk -v 2c -c ro_comm_string 127.0.0.1 1.3.6.1.4.1.2620.1.1
    SNMPv2-SMI::enterprises.2620.1.1 = No Such Object available on this agent at this OID

    [Expert@dns_name]# snmpwalk -v 2c -c ro_comm_string 127.0.0.1:260 1.3.6.1.4.1.2620.1.1
    Timeout: No Response from 127.0.0.1:260

    Steps taken:
    1. Log into system in Admin Mode via ssh.
    2. Change to Expert Mode.
    3. Edit (vi) the /etc/snmp/snmpd.conf file:
    a. Scroll to just past the “Master Agentx” line, and start a blank line, typing “a” to go to “append” mode.
    b. Add the following lines in format (“rocommunity” = read only community; <community string>; <IP Address of Monitoring System>):
    rocommunity ro_comm_string 1.2.3.4
    rocommunity ro_comm_string 2.3.4.1
    rocommunity ro_comm_string 3.4.1.2
    rocommunity ro_comm_string 4.1.2.3
    c. Edit the “syslocation” and “syscontact” lines to the describe the firewall.
    d. Save and exit the file.
    4. Run the chkconfig command as described below, to make the daemon persistent across reboot:
    chkconfig --add snmpd
    chkconfig --level 345 snmpd on
    5. Enable the snmp service by using this command, it will notify you upon success by giving you another prompt:
    snmp service enable 161
    6. Remove the default snmp community string(s):
    snmp user show – should return community strings used (public/private, etc.).
    snmp user del public – deletes the default community string for security purposes.
    snmp user del private – this user typically does not exist as a default entry since Checkpoint does not allow write community strings with standard snmp.
    7. 'snmp service stat' will verify that the service is running and on which service (successful response should be “SNMP service enabled and listening on port 161.”). Alternatively, you can run a netstat –an | grep 161 to verify (successful response should be “udp 0 0 0.0.0.0:161 0.0.0.0:*”).
    8. Modify the $FWDIR/conf/snmp.C file by placing the actual snmp communities inside the read( ) and write( ). Note – if you leave one empty, it will default to ‘public’ for read( ) and ‘private’ for write( ), which is a security risk.
    vi $FWDIR/conf/snmp.C
    It should look similar to this when completed:
    (
    : (
    : (system.sysName.0
    :value (dns_name)
    )
    : (system.sysDescr.0
    :value ("Linux i386 vEL.3.0 Check Point FireWall-1")
    )
    : (system.sysContact.0
    :value ("Contact Department - Telephone Number")
    )
    : (system.sysLocation.0
    :value ("City - Function")
    )
    : (system.sysObjectID.0
    :value (".1.3.6.1.4.1.2620.1.1")
    )
    )
    :snmp_community (
    :read (ro_comm_string)
    :write (rw_comm_string)
    )
    )
    Once verified that snmp is running on 161 (very important, if you proceed without snmp being enabled on 161, then Checkpoint snmp will enable itself on 161 rather than 260 according to the documentation I've found), go to cpconfig and then enable checkpoint snmp:
    cpconfig
    2 – SNMP Extension
    Configuring SNMP Extension...
    =============================
    The SNMP daemon enables Check Point products module to export its status to external network management tools.
    Would you like to activate Check Point products SNMP daemon ? (y/n) [n] ?
    y – to enable.
    8 – Exit
    Thank You...

    You have changed Check Point products Configuration.
    You need to restart ALL Check Point modules (performing cpstop & cpstart) in order to activate the changes you have made.
    Would you like to do it now? (y/n) [y] ?
    n – NO, do not perform a cpstop & cpstart until you verify with the customer that we have an agreed-upon maintenance window for the 2-5 minutes of downtime required. You will also need to enter the following information prior to performing the cpstop & cpstart.
    9. Go into SmartDashboard and edit the CheckPoint Object to change the parameters in the "Advanced" window to add the ro_comm_string and rw_comm_string, etc.
    10. Verify rules exist and add rules if necessary to allow icmp-ping, snmp-161 and fw1-snmp-260 to/from the SNMP management stations and all SNMP-monitored devices.
    11. Push Policy to the enforcement point. If it is a SCS then go to Policy > Install Database > select the database you modified.
    12. ssh into the firewall or management station, then perform a cpstop & cpstart. Once complete, perform a netstat –an | grep 260 – a successful response should look like this:
    udp 0 0 0.0.0.0:260 0.0.0.0:*
    13. Request firewall be discovered in SNMP management station by emailing person x and person y.

    ---------

    I've also done another cpstop/cpstart after all of this, just to verify.

    I know it's verbose, but I'm extremely frustrated that I haven't been able to figure this one out and the documentation from Check Point is lacking (big surprise). I've found about 4 versions of Check Point MIBs to import and all of them are failing miserably, including the most recent one I've found, dated last year. The ones I pulled from the device itself failed import on line 1, at least the others went a bit (not much) further before crapping out...

  13. #14
    ozsarman is offline Junior Member
    Join Date
    2009-03-12
    Posts
    2
    Rep Power
    0

    Default Re: SNMP on SPLAT - any HOWTO?

    I hope this will be usefull for you.

    Sample Usage:

    snmpget -O s -c SNMPCOMMUNITY -v 1 IPADDRESS 1.3.6.1.4.1.2620.1.6.7.2.4.0

    Result:

    enterprises.2620.1.6.7.2.4.0 = INTEGER: 53

    CPU Usage:

    IDLE: .1.3.6.1.4.1.2620.1.6.7.2.3.0
    SYSTEM: .1.3.6.1.4.1.2620.1.6.7.2.2.0
    USAGE: .1.3.6.1.4.1.2620.1.6.7.2.4.0
    USER: .1.3.6.1.4.1.2620.1.6.7.2.1.0


    Ram Usage:


    memActiveReal 1.3.6.1.4.1.2620.1.6.7.1.4.0

    memFreeReal 1.3.6.1.4.1.2620.1.6.7.1.5.0

    memTotalReal 1.3.6.1.4.1.2620.1.6.7.1.3.0


    Packets:

    fwAccepted 1.3.6.1.4.1.2620.1.1.4.0

    fwRejected 1.3.6.1.4.1.2620.1.1.5.0

    fwDropped 1.3.6.1.4.1.2620.1.1.6.0

    fwLogged 1.3.6.1.4.1.2620.1.1.7.0



    For All MIB:

    CHECKPOINT-MIB SNMP MIB


    Cacti:

    Nokia IP Firewall Checkpoint Template


    Best Regards,

    Özdemir Şarman ( Ozdemir Sarman )

  14. #15
    jmccourt is offline Junior Member
    Join Date
    2009-04-03
    Posts
    1
    Rep Power
    0

    Default Re: SNMP on SPLAT - any HOWTO?

    All,
    Just to clear things up a bit, I've see a lot of people using:
    pass 1.3.6.1.4.1.2620 127.0.0.1:260
    or
    proxy -v1 -c <community> 127.0.0.1:260 .1.3.6.1.4.1.2620

    I remember using these in the past to combine Checkpoint SNMP and system SNMP to a single port (Great for those tools that don't allow you to use non standard ports for snmp queries).

    It doesn't seem that either of these are needed now, is this because of the master agentx line?

    without either of those lines, and just the master agentx entry in the snmpd.conf file I can do things like this.

    snmpwalk -v2c -c <community> <ipaddress> 1.3.6.1.4.1.2620

    >>
    SNMPv2-SMI::enterprises.2620.1.1.1.0 = STRING: "Installed"
    SNMPv2-SMI::enterprises.2620.1.1.2.0 = STRING: "*********"
    SNMPv2-SMI::enterprises.2620.1.1.3.0 = STRING: "Thu Apr 16 17:44:21 2009"
    SNMPv2-SMI::enterprises.2620.1.1.4.0 = INTEGER: 228951
    SNMPv2-SMI::enterprises.2620.1.1.5.0 = INTEGER: 0
    SNMPv2-SMI::enterprises.2620.1.1.6.0 = INTEGER: 5047
    SNMPv2-SMI::enterprises.2620.1.1.7.0 = INTEGER: 16975
    SNMPv2-SMI::enterprises.2620.1.1.8.0 = INTEGER: 6
    SNMPv2-SMI::enterprises.2620.1.1.9.0 = INTEGER: 2

    That is obvious checkpoint information the *****'s represented the installed policy.

    All is good with neither of the pass, or proxy settings.


    Thanks,
    Jeremy McCourt

  15. #16
    boldin is offline Senior Member
    Join Date
    2008-11-22
    Location
    Atlanta, GA
    Posts
    553
    Rep Power
    5

    Default Re: SNMP on SPLAT - any HOWTO?

    So we have SNMP setup, presumably properly, on all our systems. Now, we've found that after reboot the net-SNMP service (161, not 260) does not start properly. We're on R65 HFA_02, most devices are UTMs, some are M-series.

    Any ideas on how to make this persistent? Am I missing something simple?

    Thanks,
    -Boldin
    Last edited by boldin; 2009-07-10 at 17:03.

  16. #17
    melipla is offline Senior Member
    Join Date
    2006-01-25
    Posts
    1,370
    Rep Power
    9

    Default Re: SNMP on SPLAT - any HOWTO?

    Quote Originally Posted by boldin View Post
    So we have SNMP setup, presumably properly, on all our systems. Now, we've found that after reboot the net-SNMP service (161, not 260) does not start properly. We're on R65 HFA_02, most devices are UTMs, some are M-series.

    Any ideas on how to make this persistent? Am I missing something simple?

    Thanks,
    -Boldin
    You most likely missed this command:
    chkconfig --level 345 snmpd on

    You can verify it by using:
    chkconfig --list snmpd

    also verify your default runlevel by looking for the "initdefault" line--it will be the number after id:
    cat /etc/inittab |grep initdefault


    HTH
    Last edited by melipla; 2009-07-13 at 12:14.
    Its all in the documentation.

  17. #18
    boldin is offline Senior Member
    Join Date
    2008-11-22
    Location
    Atlanta, GA
    Posts
    553
    Rep Power
    5

    Default Re: SNMP on SPLAT - any HOWTO?

    I went in and ran the command again, even though it was in the script. Now, we wait and see what happens when the power goes out again. It survived a controlled reboot, just like last time...

    Thank you

  18. #19
    Felix001 is offline Senior Member
    Join Date
    2008-07-26
    Posts
    155
    Rep Power
    5

    Default Re: SNMP on SPLAT - any HOWTO?

    Great tips guys, went straight in and enabled it within a few minutes, without any problems...

    Ive created this from the guides below which someone may find useful.....

    Video Tutorial / How do I Enable Checkpoint SNMPD on SPLAT ??

    Thanks......
    CCSA/CCNA/SNPA/JNCIS-FWV

  19. #20
    ravi_vm is offline Junior Member
    Join Date
    2008-05-05
    Posts
    4
    Rep Power
    0

    Default Re: SNMP on SPLAT - any HOWTO?

    Hi,

    Need urgent help to configure threshold value for Checkpoint SPLAT MIB/OID.

    We are running 8 SPLAT R70.1 firewalls with cluster and 2 R70.1 SmartCenter Servers. Now we want to monitor all these firewalls through native snmp management(etc/snmp/snmpd.conf). I would like to configure the threshold value for some of the checkpoint MIB's. I have configured threshold values for file system , CPU and Memory as following OID's.

    cp_monitor 1.3.6.1.4.1.2620.1.6.7.3.3.1 > 90 60 "/ > 10% used "
    cp_monitor 1.3.6.1.4.1.2620.1.6.7.3.3.2 > 90 60 "/boot > 10% used "
    cp_monitor 1.3.6.1.4.1.2620.1.6.7.3.3.3 > 90 60 "/opt > 10% used "
    cp_monitor 1.3.6.1.4.1.2620.1.6.7.3.3.4 > 90 60 "/sysimg > 10% used "
    cp_monitor 1.3.6.1.4.1.2620.1.6.7.3.3.5 > 90 60 "/var > 10% used "
    cp_monitor 1.3.6.1.4.1.2620.1.6.7.1.4 > 20000 60 "memActiveReal "
    cp_monitor 1.3.6.1.4.1.2620.1.6.7.1.5 > 20000 60 "memFreeReal "

    but now i want to configure threshold value for following Checkpoint OID's , if any one knows or configured please guide me how can i accomplish this task for following MIB's.

    fwModule State 1.3.6.1.4.1.2620.1.1.1
    Dropped packets 1.3.6.1.4.1.2620.1.1.6
    Rejected Packets In 1.3.6.1.4.1.2620.1.1.25.5.1.11
    Rejected Packets Out 1.3.6.1.4.1.2620.1.1.25.5.1.12
    Available Physical Memory 1.3.6.1.4.1.2620.1.1.26.2.2
    Firewall Memory KB used 1.3.6.1.4.1.2620.1.1.26.2.4
    fwSS-http-auth-failures 1.3.6.1.4.1.2620.1.1.26.9.1.17
    cpvHwAccelStatus 1.3.6.1.4.1.2620.1.2.8.1.2
    fwNumConn 1.3.6.1.4.1.2620.1.1.25.3
    cpvIKENoResp 1.3.6.1.4.1.2620.1.2.9.2.2

    haState 1.3.6.1.4.1.2620.1.5.6
    haBlockState 1.3.6.1.4.1.2620.1.5.7
    haWorkMode 1.3.6.1.4.1.2620.1.5.11
    haStatus 1.3.6.1.4.1.2620.1.5.12.1.4
    haProblemName 1.3.6.1.4.1.2620.1.5.13.1.2
    haProblemStatus 1.3.6.1.4.1.2620.1.5.13.1.3
    haProblemPriority 1.3.6.1.4.1.2620.1.5.13.1.4
    haProblemVerified 1.3.6.1.4.1.2620.1.5.13.1.5
    haProblemDescr 1.3.6.1.4.1.2620.1.5.13.1.6

    memDiskTransfers 1.3.6.1.4.1.2620.1.6.7.1.7

    procUsage 1.3.6.1.4.1.2620.1.6.7.2.4
    procQueue 1.3.6.1.4.1.2620.1.6.7.2.5

    diskTime 1.3.6.1.4.1.2620.1.6.7.3.1
    diskPercent 1.3.6.1.4.1.2620.1.6.7.3.3
    diskFreeTotal 1.3.6.1.4.1.2620.1.6.7.3.4
    diskFreeAvail 1.3.6.1.4.1.2620.1.6.7.3.5

    memActiveVirtual64 1.3.6.1.4.1.2620.1.6.7.4.2
    memActiveREal64 1.3.6.1.4.1.2620.1.6.7.4.4
    memFreeReal64 1.3.6.1.4.1.2620.1.6.7.4.5

    mgActiveStatus 1.3.6.1.4.1.2620.1.7.5
    mgFwmIsAlive 1.3.6.1.4.1.2620.1.7.6

    wamStatsShortDescr 1.3.6.1.4.1.2620.1.8.102
    wamStatLongDescr 1.3.6.1.4.1.2620.1.8.103

    lsFwmIsAlive 1.3.6.1.4.1.2620.1.11.5
    lsStatCode 1.3.6.1.4.1.2620.1.11.101
    lsStatShortDescr 1.3.6.1.4.1.2620.1.11.102
    lsStatLongDescr 1.3.6.1.4.1.2620.1.11.103
    lsStatLongDescr 1.3.6.1.4.1.2620.1.11.103

    Policy installed 1.3.6.1.4.1.2620.1.1.25.1.0

    Thanks in advance.

    Ravi

    Quote Originally Posted by jmccourt View Post
    All,
    Just to clear things up a bit, I've see a lot of people using:
    pass 1.3.6.1.4.1.2620 127.0.0.1:260
    or
    proxy -v1 -c <community> 127.0.0.1:260 .1.3.6.1.4.1.2620

    I remember using these in the past to combine Checkpoint SNMP and system SNMP to a single port (Great for those tools that don't allow you to use non standard ports for snmp queries).

    It doesn't seem that either of these are needed now, is this because of the master agentx line?

    without either of those lines, and just the master agentx entry in the snmpd.conf file I can do things like this.

    snmpwalk -v2c -c <community> <ipaddress> 1.3.6.1.4.1.2620

    >>
    SNMPv2-SMI::enterprises.2620.1.1.1.0 = STRING: "Installed"
    SNMPv2-SMI::enterprises.2620.1.1.2.0 = STRING: "*********"
    SNMPv2-SMI::enterprises.2620.1.1.3.0 = STRING: "Thu Apr 16 17:44:21 2009"
    SNMPv2-SMI::enterprises.2620.1.1.4.0 = INTEGER: 228951
    SNMPv2-SMI::enterprises.2620.1.1.5.0 = INTEGER: 0
    SNMPv2-SMI::enterprises.2620.1.1.6.0 = INTEGER: 5047
    SNMPv2-SMI::enterprises.2620.1.1.7.0 = INTEGER: 16975
    SNMPv2-SMI::enterprises.2620.1.1.8.0 = INTEGER: 6
    SNMPv2-SMI::enterprises.2620.1.1.9.0 = INTEGER: 2

    That is obvious checkpoint information the *****'s represented the installed policy.

    All is good with neither of the pass, or proxy settings.