SNMP v3 authentication with SHA1 protocol not working after Checkpoint Gaia upgrade to R81.XX

Written by - 2 comments

Published on - last updated on May 2nd 2022 - Listed in Monitoring Security Network


After a Checkpoint management appliance, running on Gaia, was upgraded from R80.30 to R81.10, the monitoring stopped working. We needed to apply a workaround to enable the deprecated SHA1 protocol again.

Monitoring Checkpoint with SNMP

To monitor the Checkpoint appliance, we are using Gerhard Lausser's monitoring plugin check_nwc_health behind our monitoring core software, Icinga 2. This monitoring plugin uses SNMP to connect to a network device, such as a switch or firewall.

The plugin supports SNMPv3 authentication using the md5 and sha (SHA1) authentication protocols:

$ /usr/lib/nagios/plugins/check_nwc_health --help|grep protocol
 --protocol
   The SNMP protocol to use (default: 2c, other possibilities: 1,3)
 --authprotocol
   The authentication protocol for SNMPv3 (md5|sha)

 --privprotocol
   The private protocol for SNMPv3 (des|aes|aes128|3des|3desde)

After a quick (and non-thorough) research, it is not clear, whether check_nwc_health uses its own SNMP client implementation or the Perl module Net::SNMP. The latter is still in version 6.0.1, released in September 2010 (!). This version only supports md5 and sha authentication protocols. From the documentation:

Two different hash algorithms are defined by SNMPv3 which can be used by the Security Model for authentication. These algorithms are HMAC-MD5-96 "MD5" (RFC 1321) and HMAC-SHA-96 "SHA-1" (NIST FIPS PUB 180-1). The default algorithm used by the module is HMAC-MD5-96. This behavior can be changed by using the -authprotocol argument. This argument expects either the string 'md5' or 'sha' to be passed to modify the hash algorithm.

Right now it looks as if check_nwc_health uses Net::SNMP in the background, which would explain the same (outdated) authentication protocol options.

However since the Checkpoint upgrade, SNMP authentication now only supports the SHA256 and SHA512 protocols. This can be seen in the management (web) UI when creating a new SNMP user:

This is OK, when using the net-snmp commands, such as snmpwalk or snmpget. Since net-snmp 5.8 the newer authentication protocols are supported:

$ snmpwalk -v 3 -l authNoPriv -u snmpuser -a SHA-256 -A secret FWMGMTHOST 1.3.6 |head -n 1
iso.3.6.1.2.1.1.1.0 = STRING: "Linux fwmgmthost 3.10.0-957.21.3cpx86_64 #1 SMP Tue Dec 7 16:34:42 IST 2021 x86_64"

However check_nwc_health returns an unknown protocol in this case:

$ /usr/lib/nagios/plugins/check_nwc_health --hostname FWMGMTHOST --protocol 3 --username snmpuser --authpassword secret --authprotocol SHA-256 --mode hardware-health -vvvvvvvvvvvvvvvvvvv 
Fri Jan 14 11:42:03 2022: $VAR1 = {
  '-domain' => 'udp',
  '-port' => 161,
  '-translate' => [
    '-all',
    0,
    '-nosuchobject',
    1,
    '-nosuchinstance',
    1,
    '-endofmibview',
    1,
    '-unsigned',
    1
  ],
  '-authprotocol' => 'SHA-256',
  '-username' => 'snmpuser',
  '-authpassword' => 'secret',
  '-hostname' => 'FWMGMTHOST',
  '-timeout' => 13,
  '-version' => '3'
};

Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::check_messages

Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::check_messages

Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::override_opt

Fri Jan 14 11:42:03 2022: AUTOLOAD Monitoring::GLPlugin::Commandline::override_opt

Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::check_messages

Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::check_messages

Fri Jan 14 11:42:03 2022: AUTOLOAD Classes::Device::nagios_exit

CRITICAL - cannot create session object: The authProtocol "SHA-256" is unknown

Update: Read the follow-up article to learn how to use Perl Net::SNMP v3 authentication with newer SHA protocols.

Workaround: Enabling SHA1 in Checkpoint Gaia

While an issue has been opened to request support for the newer authentication protocols in check_nwc_health, the monitoring of this Checkpoint management appliance needs to work again. As a workaround, the old SHA1 protocol can be enabled in Gaia again.

To do that, login with SSH on the Checkpoint management appliance. 

In the Gaia clish, run the following command the show the current SNMP user configuration:

fwmgmthost> show snmp usm user snmpuser
Username snmpuser
Permissions read-only
Security Level authNoPriv
Authentication Type SHA256
Privacy Type n/a

Now switch to the expert mode:

fwmgmthost> expert
Enter expert password: **********
Warning! All configurations should be done through clish
You are in expert mode now.

Check the current authentication protocol, defined in /config/active:

[Expert@fwmgmthost:0]# cat /config/active | grep "auth:proto"
snmp:v3:user:snmpuser:auth:proto .1.3.6.1.6.3.10.1.1.5

The OID ".1.3.6.1.6.3.10.1.1.5" stands for the SHA256 protocol. The corresponding OID for the SHA1 protocol is 1.3.6.1.6.3.10.1.1.3. An overview of the snmpAuthProtocols protocols and their OIDs:

  • MD5: 1.3.6.1.6.3.10.1.1.2
  • SHA(1): 1.3.6.1.6.3.10.1.1.3
  • SHA224: 1.3.6.1.6.3.10.1.1.4
  • SHA256: 1.3.6.1.6.3.10.1.1.5
  • SHA384: 1.3.6.1.6.3.10.1.1.6
  • SHA512: 1.3.6.1.6.3.10.1.1.7

By using the OID of SHA1, the SNMP user can manually be set to use the SHA1 protocol:

[Expert@fwmgmthost:0]# dbset snmp:v3:user:snmpuser:auth:proto .1.3.6.1.6.3.10.1.1.3

The change can be verified back in Gaia (in clish):

fwmgmthost> show snmp usm user snmpuser
Username snmpuser
Permissions read-only
Security Level authNoPriv
Authentication Type SHA1
Privacy Type n/a

The protocol now shows SHA1!

However this is not enough yet. A SNMPv3 connection with the SHA protocol now fails with an authentication failure:

$ snmpwalk -v 3 -l authNoPriv -u snmpuser -a sha -A secret FWMGMTHOST 1.3.6
snmpwalk: Authentication failure (incorrect password, community or key)

To solve this, the password of snmpuser needs to be reset through the UI. In System Management -> SNMP -> V3 User-Based Security Model (USM) select the SNMP user and edit the user. Do not change any fields (even if they are empty), simply enter a new password in the "Authentication Passphrase" field.

Change SNMP User in Checkpoint Gaia

Then click on Save and at the bottom of the SNMP page click on "Apply".

SNMPv3 login with SHA1 should now work:

$ snmpwalk -v 3 -l authNoPriv -u snmpuser -a sha -A secret FWMGMTHOST 1.3.6 |more
iso.3.6.1.2.1.1.1.0 = STRING: "Linux fwmgmthost 3.10.0-957.21.3cpx86_64 #1 SMP Tue Dec 7 16:34:42 IST 2021 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.2620.1.6.123.1.48
[...]

And this also means that monitoring with the check_nwc_health plugin now works again, too:

$ /usr/lib/nagios/plugins/check_nwc_health --hostname FWMGMTHOST --protocol 3 --username snmpuser --authpassword secret --authprotocol sha --mode hardware-health
OK - environmental hardware working fine | 'disk_/_free'=65%;10:;5:;0;100 'disk_/boot_free'=80%;10:;5:;0;100 'disk_/var/log_free'=30%;10:;5:;0;100 'clock_deviation'=0;60;120;;

Workaround without the UI

In certain Checkpoint devices, for example VSX firewalls, the SNMP settings don't appear in the UI. In this case, all the operations need to be done on the command line.

Use SSH to connect to the management IP of the device.

To enable SNMP and allow access to the virtual firewalls (vsN), use the following commands:

[Expert@vsx:0]# clish
vsx:0> set snmp agent on
vsx:0> set snmp mode vs
SNMP mode is already "vs"
vsx:0> set snmp vs-direct-access on
vsx:0> exit

To create a new SNMPv3 user:

[Expert@vsx:0]# clish
vsx:0> add snmp usm user snmpuser security-level authNoPriv auth-pass-phrase secret

By the way: The clish also supports an additional parameter "authentication-protocol", however only SHA256 or SHA512 are supported:

vsx:0> add snmp usm user snmpuser security-level authNoPriv auth-pass-phrase secret authentication-protocol SHA1
NMSSNM0283  Must provide a valid authentication protocol (SHA256/SHA512)

To grant the user "snmpuser" access to all VS contexts, use:

vsx:0> set snmp usm user snmpuser vsid all

Switch to the expert mode (exit clish) and the user appears in /config/active:

[Expert@vsx:0]# cat /config/active | grep "auth:proto"
snmp:v3:user:snmpuser:auth:proto .1.3.6.1.6.3.10.1.1.7

As mentioned above, this is the OID for SHA512.

Now use the dbset command to manually set the OID to SHA1:

[Expert@vsx:0]# dbset snmp:v3:user:snmpuser:auth:proto .1.3.6.1.6.3.10.1.1.3

Verify:

[Expert@vsx:0]# cat /config/active | grep "auth:proto"
snmp:v3:user:snmpuser:auth:proto .1.3.6.1.6.3.10.1.1.3

Verify in clish:

[Expert@vsx:0]# clish
vsx:0> show snmp usm user snmpuser
Username snmpuser
Permissions read-only
Security Level authNoPriv
Authentication Type SHA1
Privacy Type n/a
Allowed VSIDs :  0-3,5-8

At this point the authentication protocol is set to SHA1, however SNMP authentication still doesn't work from a SNMP client. The password needs to be set again. This can be done with the following command in clish:

vsx:0> set snmp usm user snmpuser security-level authNoPriv auth-pass-phrase secret

From this moment on, SNMP connections from monitoring work again, including access into VS contexts.

SHA1 is outdated and insecure

Although this workaround ensures that monitoring continues to work on this Checkpoint management appliance, there is one major downside: The SHA1 protocol is outdated and deemed insecure for a long time already. The SNMP connections must therefore only be allowed from a very restricted set of hosts in a secure (internal) network.

This of course also raises the question, whether (Perl-based) SNMP monitoring is still a choice in the future. This heavily depends on implementation of stronger and newer protocols and updated Perl scripts and modules.


Add a comment

Show form to leave a comment

Comments (newest first)

ck from Sweden wrote on Apr 8th, 2022:

Thanks for the hint Gerhard. I manually patched USM.pm and it works!


Gerhard Laußer from wrote on Mar 3rd, 2022:

Get this patch here, apply it on /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm or put a patched USM.pm in your PERL5LIB path. I am using this in a Red Hat 7/8 environment, but i guess it should work for other distributions too.
https://www.mail-archive.com/ports@openbsd.org/msg106148.html


RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder