After a Checkpoint management appliance, running on Gaia, was upgraded from R80.30 to R81.10, the monitoring stopped working. We needed to apply a workaround to enable the deprecated SHA1 protocol again.
To monitor the Checkpoint appliance, we are using Gerhard Lausser's monitoring plugin check_nwc_health behind our monitoring core software, Icinga 2. This monitoring plugin uses SNMP to connect to a network device, such as a switch or firewall.
The plugin supports SNMPv3 authentication using the md5 and sha (SHA1) authentication protocols:
$ /usr/lib/nagios/plugins/check_nwc_health --help|grep protocol
--protocol
The SNMP protocol to use (default: 2c, other possibilities: 1,3)
--authprotocol
The authentication protocol for SNMPv3 (md5|sha)
--privprotocol
The private protocol for SNMPv3 (des|aes|aes128|3des|3desde)
After a quick (and non-thorough) research, it is not clear, whether check_nwc_health uses its own SNMP client implementation or the Perl module Net::SNMP. The latter is still in version 6.0.1, released in September 2010 (!). This version only supports md5 and sha authentication protocols. From the documentation:
Two different hash algorithms are defined by SNMPv3 which can be used by the Security Model for authentication. These algorithms are HMAC-MD5-96 "MD5" (RFC 1321) and HMAC-SHA-96 "SHA-1" (NIST FIPS PUB 180-1). The default algorithm used by the module is HMAC-MD5-96. This behavior can be changed by using the -authprotocol argument. This argument expects either the string 'md5' or 'sha' to be passed to modify the hash algorithm.
Right now it looks as if check_nwc_health uses Net::SNMP in the background, which would explain the same (outdated) authentication protocol options.
However since the Checkpoint upgrade, SNMP authentication now only supports the SHA256 and SHA512 protocols. This can be seen in the management (web) UI when creating a new SNMP user:
This is OK, when using the net-snmp commands, such as snmpwalk or snmpget. Since net-snmp 5.8 the newer authentication protocols are supported:
$ snmpwalk -v 3 -l authNoPriv -u snmpuser -a SHA-256 -A secret FWMGMTHOST 1.3.6 |head -n 1
iso.3.6.1.2.1.1.1.0 = STRING: "Linux fwmgmthost 3.10.0-957.21.3cpx86_64 #1 SMP Tue Dec 7 16:34:42 IST 2021 x86_64"
However check_nwc_health returns an unknown protocol in this case:
$ /usr/lib/nagios/plugins/check_nwc_health --hostname FWMGMTHOST --protocol 3 --username snmpuser --authpassword secret --authprotocol SHA-256 --mode hardware-health -vvvvvvvvvvvvvvvvvvv
Fri Jan 14 11:42:03 2022: $VAR1 = {
'-domain' => 'udp',
'-port' => 161,
'-translate' => [
'-all',
0,
'-nosuchobject',
1,
'-nosuchinstance',
1,
'-endofmibview',
1,
'-unsigned',
1
],
'-authprotocol' => 'SHA-256',
'-username' => 'snmpuser',
'-authpassword' => 'secret',
'-hostname' => 'FWMGMTHOST',
'-timeout' => 13,
'-version' => '3'
};
Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::check_messages
Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::check_messages
Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::override_opt
Fri Jan 14 11:42:03 2022: AUTOLOAD Monitoring::GLPlugin::Commandline::override_opt
Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::check_messages
Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::check_messages
Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::nagios_exit
CRITICAL - cannot create session object: The authProtocol "SHA-256" is unknown
Update: Read the follow-up article to learn how to use Perl Net::SNMP v3 authentication with newer SHA protocols.
While an issue has been opened to request support for the newer authentication protocols in check_nwc_health, the monitoring of this Checkpoint management appliance needs to work again. As a workaround, the old SHA1 protocol can be enabled in Gaia again.
To do that, login with SSH on the Checkpoint management appliance.
In the Gaia clish, run the following command the show the current SNMP user configuration:
fwmgmthost> show snmp usm user snmpuser
Username snmpuser
Permissions read-only
Security Level authNoPriv
Authentication Type SHA256
Privacy Type n/a
Now switch to the expert mode:
fwmgmthost> expert
Enter expert password: **********
Warning! All configurations should be done through clish
You are in expert mode now.
Check the current authentication protocol, defined in /config/active:
[Expert@fwmgmthost:0]# cat /config/active | grep "auth:proto"
snmp:v3:user:snmpuser:auth:proto .1.3.6.1.6.3.10.1.1.5
The OID ".1.3.6.1.6.3.10.1.1.5" stands for the SHA256 protocol. The corresponding OID for the SHA1 protocol is 1.3.6.1.6.3.10.1.1.3. An overview of the snmpAuthProtocols protocols and their OIDs:
By using the OID of SHA1, the SNMP user can manually be set to use the SHA1 protocol:
[Expert@fwmgmthost:0]# dbset snmp:v3:user:snmpuser:auth:proto .1.3.6.1.6.3.10.1.1.3
The change can be verified back in Gaia (in clish):
fwmgmthost> show snmp usm user snmpuser
Username snmpuser
Permissions read-only
Security Level authNoPriv
Authentication Type SHA1
Privacy Type n/a
The protocol now shows SHA1!
However this is not enough yet. A SNMPv3 connection with the SHA protocol now fails with an authentication failure:
$ snmpwalk -v 3 -l authNoPriv -u snmpuser -a sha -A secret FWMGMTHOST 1.3.6
snmpwalk: Authentication failure (incorrect password, community or key)
To solve this, the password of snmpuser needs to be reset through the UI. In System Management -> SNMP -> V3 User-Based Security Model (USM) select the SNMP user and edit the user. Do not change any fields (even if they are empty), simply enter a new password in the "Authentication Passphrase" field.
Then click on Save and at the bottom of the SNMP page click on "Apply".
SNMPv3 login with SHA1 should now work:
$ snmpwalk -v 3 -l authNoPriv -u snmpuser -a sha -A secret FWMGMTHOST 1.3.6 |more
iso.3.6.1.2.1.1.1.0 = STRING: "Linux fwmgmthost 3.10.0-957.21.3cpx86_64 #1 SMP Tue Dec 7 16:34:42 IST 2021 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.2620.1.6.123.1.48
[...]
And this also means that monitoring with the check_nwc_health plugin now works again, too:
$ /usr/lib/nagios/plugins/check_nwc_health --hostname FWMGMTHOST --protocol 3 --username snmpuser --authpassword secret --authprotocol sha --mode hardware-health
OK - environmental hardware working fine | 'disk_/_free'=65%;10:;5:;0;100 'disk_/boot_free'=80%;10:;5:;0;100 'disk_/var/log_free'=30%;10:;5:;0;100 'clock_deviation'=0;60;120;;
In certain Checkpoint devices, for example VSX firewalls, the SNMP settings don't appear in the UI. In this case, all the operations need to be done on the command line.
Use SSH to connect to the management IP of the device.
To enable SNMP and allow access to the virtual firewalls (vsN), use the following commands:
[Expert@vsx:0]# clish
vsx:0> set snmp agent on
vsx:0> set snmp mode vs
SNMP mode is already "vs"
vsx:0> set snmp vs-direct-access on
vsx:0> exit
To create a new SNMPv3 user:
[Expert@vsx:0]# clish
vsx:0> add snmp usm user snmpuser security-level authNoPriv auth-pass-phrase secret
By the way: The clish also supports an additional parameter "authentication-protocol", however only SHA256 or SHA512 are supported:
vsx:0> add snmp usm user snmpuser security-level authNoPriv auth-pass-phrase secret authentication-protocol SHA1
NMSSNM0283 Must provide a valid authentication protocol (SHA256/SHA512)
To grant the user "snmpuser" access to all VS contexts, use:
vsx:0> set snmp usm user snmpuser vsid all
Switch to the expert mode (exit clish) and the user appears in /config/active:
[Expert@vsx:0]# cat /config/active | grep "auth:proto"
snmp:v3:user:snmpuser:auth:proto .1.3.6.1.6.3.10.1.1.7
As mentioned above, this is the OID for SHA512.
Now use the dbset command to manually set the OID to SHA1:
[Expert@vsx:0]# dbset snmp:v3:user:snmpuser:auth:proto .1.3.6.1.6.3.10.1.1.3
Verify:
[Expert@vsx:0]# cat /config/active | grep "auth:proto"
snmp:v3:user:snmpuser:auth:proto .1.3.6.1.6.3.10.1.1.3
Verify in clish:
[Expert@vsx:0]# clish
vsx:0> show snmp usm user snmpuser
Username snmpuser
Permissions read-only
Security Level authNoPriv
Authentication Type SHA1
Privacy Type n/a
Allowed VSIDs : 0-3,5-8
At this point the authentication protocol is set to SHA1, however SNMP authentication still doesn't work from a SNMP client. The password needs to be set again. This can be done with the following command in clish:
vsx:0> set snmp usm user snmpuser security-level authNoPriv auth-pass-phrase secret
From this moment on, SNMP connections from monitoring work again, including access into VS contexts.
Although this workaround ensures that monitoring continues to work on this Checkpoint management appliance, there is one major downside: The SHA1 protocol is outdated and deemed insecure for a long time already. The SNMP connections must therefore only be allowed from a very restricted set of hosts in a secure (internal) network.
This of course also raises the question, whether (Perl-based) SNMP monitoring is still a choice in the future. This heavily depends on implementation of stronger and newer protocols and updated Perl scripts and modules.
ck from Sweden wrote on Apr 8th, 2022:
Thanks for the hint Gerhard. I manually patched USM.pm and it works!
Gerhard Laußer from wrote on Mar 3rd, 2022:
Get this patch here, apply it on /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm or put a patched USM.pm in your PERL5LIB path. I am using this in a Red Hat 7/8 environment, but i guess it should work for other distributions too.
https://www.mail-archive.com/ports@openbsd.org/msg106148.html
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder