Driver Support Document

CheckPoint VPN-1 devices, versions R67, R70, R71, R75, R76 & R77 running Linux kernel 2.x

Show Tested Devices Grid

SYSOID Mapping
SYSOID MODEL OS VERSION
 1.3.6.1.4.1.2620 12600 2.x
 1.3.6.1.4.1.2620.1.6.123.1.7 unknown 2.x
 1.3.6.1.4.1.2620.1.6.123.1.8 unknown 2.x
 1.3.6.1.4.1.2620.1.6.123.1.11 unknown 2.x
 1.3.6.1.4.1.2620.1.6.123.1.15 Smart-150 2.x
 1.3.6.1.4.1.2620.1.6.123.1.20 unknown 2.x
 1.3.6.1.4.1.2620.1.6.123.1.21 unknown 2.x
 1.3.6.1.4.1.2620.1.6.123.1.34 unknown 2.x
 1.3.6.1.4.1.2620.1.6.123.1.35 4200 2.6.18
 1.3.6.1.4.1.2620.1.6.123.1.38 unknown 2.x
 1.3.6.1.4.1.2620.1.6.123.1.40 VPN-1 2.x
 1.3.6.1.4.1.2620.1.6.123.1.41 unknown 2.x
 1.3.6.1.4.1.2620.1.6.123.1.42 12600 2.x
 1.3.6.1.4.1.2620.1.6.123.1.44 13500 2.x
 1.3.6.1.4.1.2620.1.6.123.1.45 21400 2.x
 1.3.6.1.4.1.2620.1.6.123.1.48 VMware Virtual CheckPoint 2.x
 1.3.6.1.4.1.2620.1.6.123.1.49 Security Management Server 2.x
 1.3.6.1.4.1.2620.1.6.123.1.53 12200 2.x
 1.3.6.1.4.1.2620.1.6.123.1.61 23500 2.x
 1.3.6.1.4.1.2620.1.6.123.1.63 15400 2.x
 1.3.6.1.4.1.2620.1.6.123.1.66 5200 2.x
 1.3.6.1.4.1.2620.1.6.123.1.68 5600 2.x

Driver Features Support Grid

Driver FeaturesAccess Methods
(X signifies feature support)CLISNMPTFTPCLI+TFTPSNMP+TFTPFTPCLI+FTPSNMP+FTPCLI+SFTPSCPCLI+SCPSNMP+SCPHTTP/HTTPS
X Driver Discovery release notes   X                      
X General Access release notes
(CLI protocols: telnet, ssh1, ssh2, console)
Supports SecurID
X     X             X    
Configuration
X Retrieve Running Configuration release notes X     X             X    
  Retrieve Startup Configuration                            
X Retrieve Binary Configuration         X             X    
X Device information parsing  
X Enhanced Layer2 Basic IP information parsing  
X Configuration Deployment to Running         X           X X    
  Configuration Deployment to Startup                            
  Binary Configuration Deployment                            
Diagnostics
X Routing Table   X                        
  OSPF Neighbors                            
X Interfaces   X                        
X Modules and Inventory   X                        
  Flash Storage Space                            
  File System                            
X Uptime   X X                      
X ICMP Test   X                        
X Topology Parsing   X                        
X Duplex Parsing   X                        
X Enhanced VLAN Parsing  
Features
  Software Center                            
  Software Image Synchronization                            
X Password Management  
(Can modify: full password)
X                        
  Syslog Configuration and Change Detection                              
X Custom Scripts and Diagnostics  
Bulk deploy available
X                        
X ACL Parsing  
  ACL Provisioning                            
  VLAN Provisioning                            
X Configlet Parsing  
X QoS Parsing  
  VRF Parsing  
  Context Management                            

Retrieve Running Configuration

Release Notes

Collect the default CheckPoint rule files

The driver can collects the CheckPoint's rules files from the $FWDIR directory. In some cases these files may be superceded by a Management engine, and thus a waste to collect. Because of this, these files are skipped by default. To enable collection of the rules.C and object.C files, set the access variable "skip_FWDIR" to "false".

Binary collection using the backup command

CheckPoint models support the use of a "backup" command that collects a comprehensive collectiong of configuration and status information. Since this file is very large in size, it can be collected by checking the optional "Binary" configuration checkbox when the snapshot task is run. Repeated collection and storage is not recommended, as it will quickly grow the database in size.

Using try_sudo on multiple devices

CheckPoint devices support the use of the "try_sudo" device access variable, which when set to true will issue the command "sudo bash" immediately after login. Users can also set the RCX setting "Drivers/CheckPoint/try_sudo" to effect the try_sudo device access variable across all devices that use this driver.

Using "clish -c" to run clish commands

Some CheckPoint devices do not work as expected when commands are run directly from clish mode. To avoid this behaviour users are required to set the 'Use_CLISH' device access variable to true which will run the clish commands using the "clish -c" option.

return to top

Device information parsing

Release Notes

Model selection using Platform label

CheckPoint drivers normally select their Model information from the Product Name label, but the Platform label can be used by setting the device access variable "usePlatform" to "true".

return to top

General Access

Release Notes

Use Sudo and SU to gain root access for tasks

Three options are included in the driver to gain temporary root access to the device. If the the variable 'try_sudo' is set to true, the driver will issue "sudo su - root" immediately after login. If the variable 'try_su' is set, the driver will issue "su - root" immediately after login. If the variable 'try_sudo_cmd' is set, sudo will not be run a login, but any command failing with 'permission denied' will be re-run using 'sudo [cmd]'. Not all Linux-based devices support this option.

return to top

Retrieve Running Configuration

Release Notes (inherited)

Selection of configuration files to be retrieved

Drivers for Linux-based devices gather their configuration in a number of separate files and the output of various commands. The driver selects a list of files deemed to be essential to the device configuration, but this list can be supplemented by use of an access variable. To add files and commands to the list gathered by the driver, set the variable "configfiles" to a comma-delimited list of items. Commands should be specified using a "@" character, and a text file containing a list of files to be gathered can be specified by a leading "#" character. For example, "/etc/nsswitch.conf, @ifconfig, #/etc/config_file_list" will add the three items to the configuration.

Selection of binary configuration files to be retrieved

This driver also supports a corresponding "binconfigfiles" variable, which is used to specify binary files to be collected in snapshot. Wildcards are supported, and multiple files can be specified by using a comma-delimited list. If multiple files are specified, they will be put into a TAR-GZ container after collection. The binary configuration can not be deployed to the device, but can be downloaded from the View Configuration page through a link at the top of the page.

Ignoring ip address information changes

Some devices suppoted by this driver may have IP information that routinely changes. By setting the device access variable "ignore_ips" to "true", the IP address changes in the ifconfig and netstat commands will be ignored when comparing snapshot data.

Including non-reachable files

The driver supports wildcards in the configfiles variable by using the "find" command to locate files matching a filespec on the device. Files not detected by this method are skipped during the transfer stage, to reduce the number of failed SCP connections, but this can miss files that are root-protected (if try_su/try_sudo is selected). To attempt to transfer files even if they can not be located with the FIND command, set the device access variable "ignore_file_check" to "true".

return to top

Driver Discovery

Release Notes

More prompt causes an unexpected disconnection

Discovery tasks for Javascript drivers handle More prompts by using timeouts, which can cause problems with the third-party SSH client code, which interprets the timeout as a disconnection. There are two options to work around the problem. Setting the RCX option [<option name="Driver/Discovery/UsePollRead">true</option>] in site_options.rcx will effect the workaround for all affected devices. Alternatively, it could be applied to a single device by setting the device access variable "PollRead" to "true".

Wakeup Ctrl-U character can cause discovery to fail

Discovery tasks for Javascript drivers use wakeup characters are sent during device connection, to ensure that the device is responding. Normally, these characters do not echo to the console, but some devices may echo them. In this case, this causes the prompt detection phase to fail, which in turn can cause More prompts to not be handled properly, and discovery may fail. If these characters are echoed from the device [check the session log to see this], then set the device access variable "skip_ctrl_u" to skip the sending of the wakeup characters. Note that setting this option on a previously working device could cause discovery tasks to fail, but it only affects CLI discovery. SNMP discovery is unaffected.

return to top