SNMP v3 authentication with SHA1 protocol not working after Checkpoint Gaia upgrade to R81.XX

Written by - 0 comments

Published on January 18th 2022 - Listed in Monitoring Security Network


After a Checkpoint management appliance, running on Gaia, was upgraded from R80.30 to R81.10, the monitoring stopped working. We needed to apply a workaround to enable the deprecated SHA1 protocol again.

Monitoring Checkpoint with SNMP

To monitor the Checkpoint appliance, we are using Gerhard Lausser's monitoring plugin check_nwc_health behind our monitoring core software, Icinga 2. This monitoring plugin uses SNMP to connect to a network device, such as a switch or firewall.

The plugin supports SNMPv3 authentication using the md5 and sha (SHA1) authentication protocols:

$ /usr/lib/nagios/plugins/check_nwc_health --help|grep protocol
 --protocol
   The SNMP protocol to use (default: 2c, other possibilities: 1,3)
 --authprotocol
   The authentication protocol for SNMPv3 (md5|sha)

 --privprotocol
   The private protocol for SNMPv3 (des|aes|aes128|3des|3desde)

After a quick (and non-thorough) research, it is not clear, whether check_nwc_health uses its own SNMP client implementation or the Perl module Net::SNMP. The latter is still in version 6.0.1, released in September 2010 (!). This version only supports md5 and sha authentication protocols. From the documentation:

Two different hash algorithms are defined by SNMPv3 which can be used by the Security Model for authentication. These algorithms are HMAC-MD5-96 "MD5" (RFC 1321) and HMAC-SHA-96 "SHA-1" (NIST FIPS PUB 180-1). The default algorithm used by the module is HMAC-MD5-96. This behavior can be changed by using the -authprotocol argument. This argument expects either the string 'md5' or 'sha' to be passed to modify the hash algorithm.

Right now it looks as if check_nwc_health uses Net::SNMP in the background, which would explain the same (outdated) authentication protocol options.

However since the Checkpoint upgrade, SNMP authentication now only supports the SHA256 and SHA512 protocols. This can be seen in the management (web) UI when creating a new SNMP user:

This is OK, when using the net-snmp commands, such as snmpwalk or snmpget. Since net-snmp 5.8 the newer authentication protocols are supported:

$ snmpwalk -v 3 -l authNoPriv -u snmpuser -a SHA-256 -A secret FWMGMTHOST 1.3.6 |head -n 1
iso.3.6.1.2.1.1.1.0 = STRING: "Linux fwmgmthost 3.10.0-957.21.3cpx86_64 #1 SMP Tue Dec 7 16:34:42 IST 2021 x86_64"

However check_nwc_health returns an unknown protocol in this case:

$ /usr/lib/nagios/plugins/check_nwc_health --hostname FWMGMTHOST --protocol 3 --username snmpuser --authpassword secret --authprotocol SHA-256 --mode hardware-health -vvvvvvvvvvvvvvvvvvv 
Fri Jan 14 11:42:03 2022: $VAR1 = {
  '-domain' => 'udp',
  '-port' => 161,
  '-translate' => [
    '-all',
    0,
    '-nosuchobject',
    1,
    '-nosuchinstance',
    1,
    '-endofmibview',
    1,
    '-unsigned',
    1
  ],
  '-authprotocol' => 'SHA-256',
  '-username' => 'snmpuser',
  '-authpassword' => 'secret',
  '-hostname' => 'FWMGMTHOST',
  '-timeout' => 13,
  '-version' => '3'
};

Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::check_messages

Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::check_messages

Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::override_opt

Fri Jan 14 11:42:03 2022: AUTOLOAD Monitoring::GLPlugin::Commandline::override_opt

Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::check_messages

Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::check_messages

Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::nagios_exit

CRITICAL - cannot create session object: The authProtocol "SHA-256" is unknown

Workaround: Enabling SHA1 in Checkpoint Gaia

While an issue has been opened to request support for the newer authentication protocols in check_nwc_health, the monitoring of this Checkpoint management appliance needs to work again. As a workaround, the old SHA1 protocol can be enabled in Gaia again.

To do that, login with SSH on the Checkpoint management appliance. 

In the Gaia clish, run the following command the show the current SNMP user configuration:

fwmgmthost> show snmp usm user snmpuser
Username snmpuser
Permissions read-only
Security Level authNoPriv
Authentication Type SHA256
Privacy Type n/a

Now switch to the expert mode:

fwmgmthost> expert
Enter expert password: **********
Warning! All configurations should be done through clish
You are in expert mode now.

Check the current authentication protocol, defined in /config/active:

[Expert@fwmgmthost:0]# cat /config/active | grep "auth:proto"
snmp:v3:user:snmpuser:auth:proto .1.3.6.1.6.3.10.1.1.5

The OID ".1.3.6.1.6.3.10.1.1.5" stands for the SHA256 protocol. The corresponding OID for the SHA1 protocol is 1.3.6.1.6.3.10.1.1.3. An overview of the snmpAuthProtocols protocols and their OIDs:

  • MD5: 1.3.6.1.6.3.10.1.1.2
  • SHA(1): 1.3.6.1.6.3.10.1.1.3
  • SHA224: 1.3.6.1.6.3.10.1.1.4
  • SHA256: 1.3.6.1.6.3.10.1.1.5
  • SHA384: 1.3.6.1.6.3.10.1.1.6
  • SHA512: 1.3.6.1.6.3.10.1.1.7

By using the OID of SHA1, the SNMP user can manually be set to use the SHA1 protocol:

[Expert@fwmgmthost:0]# dbset snmp:v3:user:snmpuser:auth:proto .1.3.6.1.6.3.10.1.1.3

The change can be verified back in Gaia (in clish):

fwmgmthost> show snmp usm user snmpuser
Username snmpuser
Permissions read-only
Security Level authNoPriv
Authentication Type SHA1
Privacy Type n/a

The protocol now shows SHA1!

However this is not enough yet. A SNMPv3 connection with the SHA protocol now fails with an authentication failure:

$ snmpwalk -v 3 -l authNoPriv -u snmpuser -a sha -A secret FWMGMTHOST 1.3.6
snmpwalk: Authentication failure (incorrect password, community or key)

To solve this, the password of snmpuser needs to be reset through the UI. In System Management -> SNMP -> V3 User-Based Security Model (USM) select the SNMP user and edit the user. Do not change any fields (even if they are empty), simply enter a new password in the "Authentication Passphrase" field.

Change SNMP User in Checkpoint Gaia

Then click on Save and at the bottom of the SNMP page click on "Apply".

SNMPv3 login with SHA1 should now work:

$ snmpwalk -v 3 -l authNoPriv -u snmpuser -a sha -A secret FWMGMTHOST 1.3.6 |more
iso.3.6.1.2.1.1.1.0 = STRING: "Linux fwmgmthost 3.10.0-957.21.3cpx86_64 #1 SMP Tue Dec 7 16:34:42 IST 2021 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.2620.1.6.123.1.48
[...]

And this also means that monitoring with the check_nwc_health plugin now works again, too:

$ /usr/lib/nagios/plugins/check_nwc_health --hostname FWMGMTHOST --protocol 3 --username snmpuser --authpassword secret --authprotocol sha --mode hardware-health
OK - environmental hardware working fine | 'disk_/_free'=65%;10:;5:;0;100 'disk_/boot_free'=80%;10:;5:;0;100 'disk_/var/log_free'=30%;10:;5:;0;100 'clock_deviation'=0;60;120;;

SHA1 is outdated and insecure

Although this workaround ensures that monitoring continues to work on this Checkpoint management appliance, there is one major downside: The SHA1 protocol is outdated and deemed insecure for a long time already. The SNMP connections must therefore only be allowed from a very restricted set of hosts in a secure (internal) network.

This of course also raises the question, whether (Perl-based) SNMP monitoring is still a choice in the future. This heavily depends on implementation of stronger and newer protocols and updated Perl scripts and modules.


More recent articles: