Driver Support Document
SYSOID Mapping | ||
SYSOID | MODEL | OS VERSION |
1.3.6.1.4.1.2620 | 12600 | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.7 | unknown | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.8 | unknown | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.11 | unknown | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.15 | Smart-150 | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.20 | unknown | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.21 | unknown | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.34 | unknown | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.35 | 4200 | 2.6.18 |
1.3.6.1.4.1.2620.1.6.123.1.38 | unknown | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.40 | VPN-1 | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.41 | unknown | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.42 | 12600 | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.44 | 13500 | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.45 | 21400 | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.48 | VMware Virtual CheckPoint | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.49 | Security Management Server | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.53 | 12200 | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.61 | 23500 | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.63 | 15400 | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.66 | 5200 | 2.x |
1.3.6.1.4.1.2620.1.6.123.1.68 | 5600 | 2.x |
The driver can collects the CheckPoint's rules files from the $FWDIR directory. In some cases these files may be superceded by a Management engine, and thus a waste to collect. Because of this, these files are skipped by default. To enable collection of the rules.C and object.C files, set the access variable "skip_FWDIR" to "false".
CheckPoint models support the use of a "backup" command that collects a comprehensive collectiong of configuration and status information. Since this file is very large in size, it can be collected by checking the optional "Binary" configuration checkbox when the snapshot task is run. Repeated collection and storage is not recommended, as it will quickly grow the database in size.
CheckPoint devices support the use of the "try_sudo" device access variable, which when set to true will issue the command "sudo bash" immediately after login. Users can also set the RCX setting "Drivers/CheckPoint/try_sudo" to effect the try_sudo device access variable across all devices that use this driver.
Some CheckPoint devices do not work as expected when commands are run directly from clish mode. To avoid this behaviour users are required to set the 'Use_CLISH' device access variable to true which will run the clish commands using the "clish -c" option.
CheckPoint drivers normally select their Model information from the Product Name label, but the Platform label can be used by setting the device access variable "usePlatform" to "true".
Three options are included in the driver to gain temporary root access to the device. If the the variable 'try_sudo' is set to true, the driver will issue "sudo su - root" immediately after login. If the variable 'try_su' is set, the driver will issue "su - root" immediately after login. If the variable 'try_sudo_cmd' is set, sudo will not be run a login, but any command failing with 'permission denied' will be re-run using 'sudo [cmd]'. Not all Linux-based devices support this option.
Drivers for Linux-based devices gather their configuration in a number of separate files and the output of various commands. The driver selects a list of files deemed to be essential to the device configuration, but this list can be supplemented by use of an access variable. To add files and commands to the list gathered by the driver, set the variable "configfiles" to a comma-delimited list of items. Commands should be specified using a "@" character, and a text file containing a list of files to be gathered can be specified by a leading "#" character. For example, "/etc/nsswitch.conf, @ifconfig, #/etc/config_file_list" will add the three items to the configuration.
This driver also supports a corresponding "binconfigfiles" variable, which is used to specify binary files to be collected in snapshot. Wildcards are supported, and multiple files can be specified by using a comma-delimited list. If multiple files are specified, they will be put into a TAR-GZ container after collection. The binary configuration can not be deployed to the device, but can be downloaded from the View Configuration page through a link at the top of the page.
Some devices suppoted by this driver may have IP information that routinely changes. By setting the device access variable "ignore_ips" to "true", the IP address changes in the ifconfig and netstat commands will be ignored when comparing snapshot data.
The driver supports wildcards in the configfiles variable by using the "find" command to locate files matching a filespec on the device. Files not detected by this method are skipped during the transfer stage, to reduce the number of failed SCP connections, but this can miss files that are root-protected (if try_su/try_sudo is selected). To attempt to transfer files even if they can not be located with the FIND command, set the device access variable "ignore_file_check" to "true".
Discovery tasks for Javascript drivers handle More prompts by using timeouts, which can cause problems with the third-party SSH client code, which interprets the timeout as a disconnection. There are two options to work around the problem. Setting the RCX option [<option name="Driver/Discovery/UsePollRead">true</option>] in site_options.rcx will effect the workaround for all affected devices. Alternatively, it could be applied to a single device by setting the device access variable "PollRead" to "true".
Discovery tasks for Javascript drivers use wakeup characters are sent during device connection, to ensure that the device is responding. Normally, these characters do not echo to the console, but some devices may echo them. In this case, this causes the prompt detection phase to fail, which in turn can cause More prompts to not be handled properly, and discovery may fail. If these characters are echoed from the device [check the session log to see this], then set the device access variable "skip_ctrl_u" to skip the sending of the wakeup characters. Note that setting this option on a previously working device could cause discovery tasks to fail, but it only affects CLI discovery. SNMP discovery is unaffected.