Check Point

Check Point Software Technologies Ltd. is an Israeli multinational provider of software and combined hardware and software products for IT security, including network security, endpoint security, mobile security, data security and security management.

Available solutions




This template is for Zabbix version: 7.0
Also available for: 6.4 6.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/net/checkpoint/quantum_ngfw_snmp?at=release/7.0

Check Point Next Generation Firewall by SNMP

Overview

This template is designed for the effortless deployment of Check Point Next Generation Firewall monitoring by Zabbix via SNMP and doesn't require any external scripts.

Requirements

Zabbix version: 7.0 and higher.

Tested versions

This template has been tested on:

  • Check Point 4800 Appliance Next Generation Firewall

Configuration

Zabbix should be configured according to the instructions in the Templates out of the box section.

Setup

Refer to vendor documentation.

Macros used

Name Description Default
{$CPU.UTIL.CRIT}

Threshold of CPU utilization for the Warning trigger in %.

90
{$LOAD_AVG_PER_CPU.MAX.WARN}

Load per CPU considered sustainable. Change if needed.

1.5
{$ICMP_LOSS_WARN}

Threshold of ICMP packet loss for the Warning trigger in %.

20
{$ICMP_RESPONSE_TIME_WARN}

Threshold of average ICMP response time for the Warning trigger in seconds.

0.15
{$SNMP.TIMEOUT}

Time interval for the SNMP availability trigger.

5m
{$MEMORY.UTIL.MAX}

Warning threshold for the item "Physical memory: Memory utilization".

90
{$FW.DROPPED.PACKETS.TH}

Used in Firewall discovery.

0
{$DISK.FREE.MIN.CRIT}

Critical threshold of disk space usage.

5G
{$DISK.FREE.MIN.WARN}

Warning threshold of disk space usage.

10G
{$DISK.PUSED.MAX.WARN}

Disk utilization threshold for Warning trigger in %.

80
{$DISK.PUSED.MAX.CRIT}

Disk utilization threshold for Critical trigger in %.

90
{$DISK.NAME.MATCHES}

Used in Storage discovery. Can be overridden on the host or linked template level.

.+
{$DISK.NAME.NOT_MATCHES}

Used in Storage discovery. Can be overridden on the host or linked template level.

^(/dev|/sys|/run|/proc|.+/shm$)
{$VPN.NAME.MATCHES}

Used in VPN discovery. Can be overridden on the host or linked template level.

.*
{$VPN.NAME.NOT_MATCHES}

Used in VPN discovery. Can be overridden on the host or linked template level.

CHANGE_IF_NEEDED
{$VPN.STATE.CONTROL}

Used in the "Tunnel down" trigger. Can be used with the interface name as context.

1
{$NET.IF.ERRORS.WARN}

Threshold of error packet rate for the Warning trigger. Can be used with the interface name as context.

2
{$NET.IF.UTIL.MAX}

Threshold of interface bandwidth utilization for the Warning trigger in %. Can be used with interface name as context.

95
{$NET.IF.CONTROL}

Macro for the interface operational state for the "Link down" trigger. Can be used with the interface name as context.

1
{$NET.IF.IFADMINSTATUS.MATCHES}

Used in Network interfaces discovery. Can be overridden on the host or linked template level.

.*
{$NET.IF.IFADMINSTATUS.NOT_MATCHES}

Used in Network interfaces discovery. Can be overridden on the host or linked template level.

^2$
{$NET.IF.IFDESCR.MATCHES}

Used in Network interfaces discovery. Can be overridden on the host or linked template level.

.*
{$NET.IF.IFDESCR.NOT_MATCHES}

Used in Network interfaces discovery. Can be overridden on the host or linked template level.

CHANGE_IF_NEEDED
{$NET.IF.IFNAME.MATCHES}

Used in Network interfaces discovery. Can be overridden on the host or linked template level.

.*
{$NET.IF.IFNAME.NOT_MATCHES}

Used in Network interfaces discovery. Can be overridden on the host or linked template level.

CHANGE_IF_NEEDED
{$NET.IF.IFOPERSTATUS.MATCHES}

Used in Network interfaces discovery. Can be overridden on the host or linked template level.

.*
{$NET.IF.IFOPERSTATUS.NOT_MATCHES}

Used in Network interfaces discovery. Can be overridden on the host or linked template level.

^6$
{$NET.IF.IFTYPE.MATCHES}

Used in Network interfaces discovery. Can be overridden on the host or linked template level.

.*
{$NET.IF.IFTYPE.NOT_MATCHES}

Used in Network interfaces discovery. Can be overridden on the host or linked template level.

CHANGE_IF_NEEDED
{$NET.IF.IFALIAS.MATCHES}

Used in Network interfaces discovery. Can be overridden on the host or linked template level.

.*
{$NET.IF.IFALIAS.NOT_MATCHES}

Used in Network interfaces discovery. Can be overridden on the host or linked template level.

CHANGE_IF_NEEDED
{$TEMP.NAME.MATCHES}

Used in Temperature discovery. Can be overridden on the host or linked template level.

.*
{$TEMP.NAME.NOT_MATCHES}

Used in Temperature discovery. Can be overridden on the host or linked template level.

CHANGE_IF_NEEDED
{$TEMP.VALUE.LOW}

Used in Temperature discovery. Can be overridden on the host or linked template level.

5
{$TEMP.VALUE.CRIT}

Used in Temperature discovery. Can be overridden on the host or linked template level.

75
{$TEMP.VALUE.WARN}

Used in Temperature discovery. Can be overridden on the host or linked template level.

65
{$VOLT.NAME.MATCHES}

Used in Voltage discovery. Can be overridden on the host or linked template level.

.*
{$VOLT.NAME.NOT_MATCHES}

Used in Voltage discovery. Can be overridden on the host or linked template level.

CHANGE_IF_NEEDED
{$SW.NAME.MATCHES}

Used in Software blade discovery. Can be overridden on the host or linked template level.

.*
{$SW.NAME.NOT_MATCHES}

Used in Software blade discovery. Can be overridden on the host or linked template level.

CHANGE_IF_NEEDED
{$LICENSE.EXPIRY.WARN}

Number of days until the license expires.

7
{$LICENSE.CONTROL}

Used in Software blade discovery. Can be overridden on the host or linked template level.

1

Items

Name Description Type Key and additional info
Appliance product name

MIB: CHECKPOINT-MIB

Appliance product name.

SNMP agent system.hw.model

Preprocessing

  • Discard unchanged with heartbeat: 1d

Appliance serial number

MIB: CHECKPOINT-MIB

Appliance serial number.

SNMP agent system.hw.serialnumber

Preprocessing

  • Discard unchanged with heartbeat: 1d

Appliance manufacturer

MIB: CHECKPOINT-MIB

Appliance manufacturer.

SNMP agent system.hw.manufacturer

Preprocessing

  • Discard unchanged with heartbeat: 1d

Remote Access users

MIB: CHECKPOINT-MIB

Number of remote access users.

SNMP agent remote.users.number

Preprocessing

  • JSON Path: $.length()

System contact details

MIB: SNMPv2-MIB

Name and contact information of the contact person for the node. If not provided, the value is a zero-length string.

SNMP agent system.contact

Preprocessing

  • Discard unchanged with heartbeat: 12h

System description

MIB: SNMPv2-MIB

Full name and version identification of the system's hardware type, software operating system, and networking software.

SNMP agent system.descr

Preprocessing

  • Discard unchanged with heartbeat: 12h

System location

MIB: SNMPv2-MIB

Physical location of the node (e.g., equipment room, 3rd floor). If not provided, the value is a zero-length string.

SNMP agent system.location

Preprocessing

  • Discard unchanged with heartbeat: 12h

System name

MIB: SNMPv2-MIB

An administratively-assigned name for the node (the node's fully-qualified domain name). If not provided, the value is a zero-length string.

SNMP agent system.name

Preprocessing

  • Discard unchanged with heartbeat: 12h

System object ID

MIB: SNMPv2-MIB

The vendor's authoritative identification of the entity as part of the vendor's SMI enterprises subtree with the prefix 1.3.6.1.4.1 (e.g., a vendor with the identifier 1.3.6.1.4.1.4242 might assign a system object with the OID 1.3.6.1.4.1.4242.1.1).

SNMP agent system.objectid

Preprocessing

  • Discard unchanged with heartbeat: 12h

System uptime

MIB: HOST-RESOURCES-V2-MIB

Time since the network management portion of the system was last re-initialized.

SNMP agent system.uptime

Preprocessing

  • Custom multiplier: 0.01

Number of CPUs

MIB: CHECKPOINT-MIB

Number of processors.

SNMP agent system.cpu.num

Preprocessing

  • Discard unchanged with heartbeat: 1h

CPU utilization

MIB: CHECKPOINT-MIB

CPU utilization per core in %.

SNMP agent system.cpu.util
Load average (1m avg)

MIB: UCD-SNMP-MIB

Average number of processes being executed or waiting over the last minute.

SNMP agent system.cpu.load.avg1
Load average (5m avg)

MIB: UCD-SNMP-MIB

Average number of processes being executed or waiting over the last 5 minutes.

SNMP agent system.cpu.load.avg5
Load average (15m avg)

MIB: UCD-SNMP-MIB

Average number of processes being executed or waiting over the last 15 minutes.

SNMP agent system.cpu.load.avg15
CPU user time

MIB: CHECKPOINT-MIB

Average time the CPU has spent running user processes that are not niced.

SNMP agent system.cpu.user
CPU system time

MIB: CHECKPOINT-MIB

Average time the CPU has spent running the kernel and its processes.

SNMP agent system.cpu.system
CPU idle time

MIB: CHECKPOINT-MIB

Average time the CPU has spent doing nothing.

SNMP agent system.cpu.idle
Context switches per second

MIB: UCD-SNMP-MIB

Number of context switches per second.

SNMP agent system.cpu.switches

Preprocessing

  • Change per second
CPU interrupts per second

MIB: CHECKPOINT-MIB

Number of interrupts processed per second.

SNMP agent system.cpu.intr
Total memory

MIB: CHECKPOINT-MIB

Total real memory in bytes. Memory used by applications.

SNMP agent vm.memory.total
Active memory

MIB: CHECKPOINT-MIB

Active real memory (memory used by applications that is not cached to the disk) in bytes.

SNMP agent vm.memory.active
Free memory

MIB: CHECKPOINT-MIB

Free memory available for applications in bytes.

SNMP agent vm.memory.free
Used memory

Used real memory calculated by total real memory and free real memory in bytes.

Calculated vm.memory.used
Memory utilization

Memory utilization in %.

Calculated vm.memory.util
Encrypted packets per second

MIB: CHECKPOINT-MIB

Number of encrypted packets per second.

SNMP agent vpn.packets.encrypted

Preprocessing

  • Change per second
Decrypted packets per second

MIB: CHECKPOINT-MIB

Number of decrypted packets per second.

SNMP agent vpn.packets.decrypted

Preprocessing

  • Change per second
ICMP ping

Host accessibility by ICMP.

0 - ICMP ping fails.

1 - ICMP ping successful.

Simple check icmpping
ICMP loss

Percentage of lost packets.

Simple check icmppingloss
ICMP response time

ICMP ping response time (in seconds).

Simple check icmppingsec
SNMP agent availability

Availability of SNMP checks on the host. The value of this item corresponds to the availability icons in the host list.

Possible values:

0 - not available

1 - available

2 - unknown

Zabbix internal zabbix[host,snmp,available]
SNMP traps (fallback)

Used to collect all SNMP traps unmatched by other snmptrap items.

SNMP trap snmptrap.fallback
SNMP walk network interfaces

Used for discovering interfaces from IF-MIB.

SNMP agent net.if.walk
SNMP walk CPU

Used for discovering CPU from CHECKPOINT-MIB.

SNMP agent system.cpu.walk
SNMP walk VPN tunnels

Used for discovering VPN tunnels from CHECKPOINT-MIB.

SNMP agent vpn.tunnel.walk
SNMP walk disks

Used for discovering storage disks from CHECKPOINT-MIB.

SNMP agent vfs.fs.walk
SNMP walk temperature sensors

Used for discovering temperature sensors from CHECKPOINT-MIB.

SNMP agent sensor.temp.walk
SNMP walk fan sensors

Used for discovering fan sensors from CHECKPOINT-MIB.

SNMP agent sensor.fan.walk
SNMP walk voltage sensors

Used for discovering voltage sensors from CHECKPOINT-MIB.

SNMP agent sensor.volt.walk
SNMP walk PSU sensors

Used for discovering power supply sensors from CHECKPOINT-MIB.

SNMP agent sensor.psu.walk
SNMP walk svn features

Used for discovering software blades and features from CHECKPOINT-MIB.

SNMP agent svn.feature.walk

Triggers

Name Description Expression Severity Dependencies and additional info
Device has been replaced

The device serial number has changed. Acknowledge to close the problem manually.

last(/Check Point Next Generation Firewall by SNMP/system.hw.serialnumber,#1)<>last(/Check Point Next Generation Firewall by SNMP/system.hw.serialnumber,#2) and length(last(/Check Point Next Generation Firewall by SNMP/system.hw.serialnumber))>0 Info Manual close: Yes
System name has changed

The name of the system has changed. Acknowledge to close the problem manually.

last(/Check Point Next Generation Firewall by SNMP/system.name,#1)<>last(/Check Point Next Generation Firewall by SNMP/system.name,#2) and length(last(/Check Point Next Generation Firewall by SNMP/system.name))>0 Info Manual close: Yes
Device has been restarted

Uptime is less than 10 minutes.

last(/Check Point Next Generation Firewall by SNMP/system.uptime)<10m Info Manual close: Yes
High CPU utilization

CPU utilization is too high. The system might be slow to respond.

min(/Check Point Next Generation Firewall by SNMP/system.cpu.util,5m)>{$CPU.UTIL.CRIT} Warning
Load average is too high

The load average per CPU is too high. The system may be slow to respond.

min(/Check Point Next Generation Firewall by SNMP/system.cpu.load.avg1,5m)/last(/Check Point Next Generation Firewall by SNMP/system.cpu.num)>{$LOAD_AVG_PER_CPU.MAX.WARN} and last(/Check Point Next Generation Firewall by SNMP/system.cpu.load.avg5)>0 and last(/Check Point Next Generation Firewall by SNMP/system.cpu.load.avg15)>0 Average
High memory utilization

The system is running out of free memory.

min(/Check Point Next Generation Firewall by SNMP/vm.memory.util,5m)>{$MEMORY.UTIL.MAX} Average
Unavailable by ICMP ping

Last three attempts returned timeout. Please check device connectivity.

max(/Check Point Next Generation Firewall by SNMP/icmpping,#3)=0 High
High ICMP ping loss

ICMP packet loss detected.

min(/Check Point Next Generation Firewall by SNMP/icmppingloss,5m)>{$ICMP_LOSS_WARN} and min(/Check Point Next Generation Firewall by SNMP/icmppingloss,5m)<100 Warning Depends on:
  • Unavailable by ICMP ping
High ICMP ping response time

Average ICMP response time is too high.

avg(/Check Point Next Generation Firewall by SNMP/icmppingsec,5m)>{$ICMP_RESPONSE_TIME_WARN} Warning Depends on:
  • Unavailable by ICMP ping
  • High ICMP ping loss
No SNMP data collection

SNMP is not available for polling. Please check device connectivity and SNMP settings.

max(/Check Point Next Generation Firewall by SNMP/zabbix[host,snmp,available],{$SNMP.TIMEOUT})=0 Warning Depends on:
  • Unavailable by ICMP ping

LLD rule Firewall discovery

Name Description Type Key and additional info
Firewall discovery

This discovery will create a set of firewall metrics from CHECKPOINT-MIB if the firewall is installed.

SNMP agent fw.discovery

Preprocessing

  • JavaScript: The text is too long. Please see the template.

Item prototypes for Firewall discovery

Name Description Type Key and additional info
Check Point Firewall: Firewall filter name{#SINGLETON}

MIB: CHECKPOINT-MIB

Name of the firewall filter.

SNMP agent fw.filter.name[fwFilterName.{#SNMPINDEX}]

Preprocessing

  • Discard unchanged with heartbeat: 1h

Check Point Firewall: Firewall filter install time{#SINGLETON}

MIB: CHECKPOINT-MIB

Last install time of the firewall filter.

SNMP agent fw.filter.installed[fwFilterDate.{#SNMPINDEX}]

Preprocessing

  • JavaScript: The text is too long. Please see the template.

  • Discard unchanged with heartbeat: 6h

Check Point Firewall: Firewall version{#SINGLETON}

MIB: CHECKPOINT-MIB

Current version of the firewall.

SNMP agent fw.version[fwVersion.{#SNMPINDEX}]

Preprocessing

  • JavaScript: The text is too long. Please see the template.

  • Discard unchanged with heartbeat: 1h

Check Point Firewall: Accepted packets per second{#SINGLETON}

MIB: CHECKPOINT-MIB

Number of accepted packets per second.

SNMP agent fw.accepted[fwAccepted.{#SNMPINDEX}]

Preprocessing

  • Change per second
Check Point Firewall: Rejected packets per second{#SINGLETON}

MIB: CHECKPOINT-MIB

Number of rejected packets per second.

SNMP agent fw.rejected[fwRejected.{#SNMPINDEX}]

Preprocessing

  • Change per second
Check Point Firewall: Dropped packets per second{#SINGLETON}

MIB: CHECKPOINT-MIB

Number of dropped packets per second.

SNMP agent fw.dropped[fwDropped.{#SNMPINDEX}]

Preprocessing

  • Change per second
Check Point Firewall: Logged packets per second{#SINGLETON}

MIB: CHECKPOINT-MIB

Number of logged packets per second.

SNMP agent fw.logged[fwLogged.{#SNMPINDEX}]

Preprocessing

  • Change per second
Check Point Firewall: SIC Trust State{#SINGLETON}

MIB: CHECKPOINT-MIB

Firewall SIC Trust State.

SNMP agent fw.sic.trust.state[fwSICTrustState.{#SNMPINDEX}]
Check Point Firewall: Utilized drops number per second{#SINGLETON}

MIB: CHECKPOINT-MIB

Number of dropped packets per second due to instance being fully utilized.

SNMP agent fw.utilized.drops[fwFullyUtilizedDrops.{#SNMPINDEX}]

Preprocessing

  • Change per second
Check Point Firewall: Concurrent connections{#SINGLETON}

MIB: CHECKPOINT-MIB

Number of concurrent IPv6 and IPv4 connections.

SNMP agent fw.conn.num[fwNumConn.{#SNMPINDEX}]
Check Point Firewall: Peak concurrent connections{#SINGLETON}

MIB: CHECKPOINT-MIB

Peak number of concurrent connections since last reboot.

SNMP agent fw.conn.num.peak[fwPeakNumConn.{#SNMPINDEX}]

Trigger prototypes for Firewall discovery

Name Description Expression Severity Dependencies and additional info
Check Point Firewall: Instance is currently fully utilized

This trigger uses the number of dropped packets, an increase of which indicates that the instance is fully utilized.

avg(/Check Point Next Generation Firewall by SNMP/fw.utilized.drops[fwFullyUtilizedDrops.{#SNMPINDEX}],5m)>{$FW.DROPPED.PACKETS.TH} High

LLD rule VPN discovery

Name Description Type Key and additional info
VPN discovery

For discovering VPN tunnels from CHECKPOINT-MIB.

Dependent item vpn.discovery

Preprocessing

  • SNMP walk to JSON

  • Discard unchanged with heartbeat: 1h

Item prototypes for VPN discovery

Name Description Type Key and additional info
VPN {#VPN.NAME}: Peer IP address

MIB: CHECKPOINT-MIB

VPN peer IP address.

Dependent item vpn.tunnel.peer_ip[tunnelPeerIpAddr.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.500.9002.1.1.{#SNMPINDEX}

  • Discard unchanged with heartbeat: 6h

VPN {#VPN.NAME}: Tunnel state

MIB: CHECKPOINT-MIB

VPN tunnel state:

3 - active

4 - destroy

129 - idle

130 - phase1

131 - down

132 - init

Dependent item vpn.tunnel.state[tunnelState.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.500.9002.1.3.{#SNMPINDEX}

  • Discard unchanged with heartbeat: 1h

VPN {#VPN.NAME}: Community

MIB: CHECKPOINT-MIB

VPN tunnel community.

Dependent item vpn.tunnel.community[tunnelCommunity.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.500.9002.1.4.{#SNMPINDEX}

  • Discard unchanged with heartbeat: 6h

VPN {#VPN.NAME}: Tunnel interface

MIB: CHECKPOINT-MIB

VPN tunnel interface.

Dependent item vpn.tunnel.netif[tunnelInterface.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.500.9002.1.6.{#SNMPINDEX}

  • Discard unchanged with heartbeat: 6h

VPN {#VPN.NAME}: Source IP

MIB: CHECKPOINT-MIB

Source IP address.

Dependent item vpn.tunnel.src_ip[tunnelSourceIpAddr.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.500.9002.1.7.{#SNMPINDEX}

  • Discard unchanged with heartbeat: 6h

VPN {#VPN.NAME}: Link priority

MIB: CHECKPOINT-MIB

Link priority.

Dependent item vpn.tunnel.priority[tunnelLinkPriority.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.500.9002.1.8.{#SNMPINDEX}

  • Discard unchanged with heartbeat: 1h

VPN {#VPN.NAME}: Probing state

MIB: CHECKPOINT-MIB

VPN tunnel probing state:

0 - unknown

1 - alive

2 - dead

Dependent item vpn.tunnel.prob_state[tunnelProbState.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.500.9002.1.9.{#SNMPINDEX}

VPN {#VPN.NAME}: Peer type

MIB: CHECKPOINT-MIB

VPN peer type.

Dependent item vpn.tunnel.peer_type[tunnelPeerType.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.500.9002.1.10.{#SNMPINDEX}

  • Discard unchanged with heartbeat: 1h

VPN {#VPN.NAME}: Tunnel type

MIB: CHECKPOINT-MIB

VPN tunnel type.

Dependent item vpn.tunnel.type[tunnelType.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.500.9002.1.11.{#SNMPINDEX}

  • Discard unchanged with heartbeat: 1h

Trigger prototypes for VPN discovery

Name Description Expression Severity Dependencies and additional info
VPN {#VPN.NAME}: Tunnel down

This trigger expression works as follows:
1. It can be triggered if the current tunnel state is down.
2. {$VPN.STATE.CONTROL:"{#VPN.NAME}"}=1 - a user can redefine the context macro to "0", marking this notification as not important. No new trigger will be fired if this tunnel is down.

{$VPN.STATE.CONTROL:"{#VPN.NAME}"}=1 and last(/Check Point Next Generation Firewall by SNMP/vpn.tunnel.state[tunnelState.{#SNMPINDEX}])=131 Average Manual close: Yes

LLD rule CPU discovery

Name Description Type Key and additional info
CPU discovery

For discovering CPU from CHECKPOINT-MIB.

Dependent item cpu.discovery

Preprocessing

  • SNMP walk to JSON

  • Discard unchanged with heartbeat: 1h

Item prototypes for CPU discovery

Name Description Type Key and additional info
CPU Core {#CPU.ID}: CPU user time

MIB: CHECKPOINT-MIB

The time the CPU {#CPU.ID} has spent running user processes that are not niced.

Dependent item system.core.user[multiProcUserTime.{#CPU.ID}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.7.5.1.4.{#SNMPINDEX}

CPU Core {#CPU.ID}: CPU system time

MIB: CHECKPOINT-MIB

The time the CPU {#CPU.ID} has spent running the kernel and its processes.

Dependent item system.core.system[multiProcSystemTime.{#CPU.ID}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.7.5.1.3.{#SNMPINDEX}

CPU Core {#CPU.ID}: CPU idle time

MIB: CHECKPOINT-MIB

The time the CPU {#CPU.ID} has spent doing nothing.

Dependent item system.core.idle[multiProcIdleTime.{#CPU.ID}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.7.5.1.2.{#SNMPINDEX}

CPU Core {#CPU.ID}: CPU utilization

MIB: CHECKPOINT-MIB

CPU {#CPU.ID} utilization in %.

Dependent item system.core.util[multiProcUsage.{#CPU.ID}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.7.5.1.5.{#SNMPINDEX}

LLD rule Storage discovery

Name Description Type Key and additional info
Storage discovery

For discovering storage disks from CHECKPOINT-MIB.

Dependent item vfs.fs.discovery

Preprocessing

  • SNMP walk to JSON

  • Discard unchanged with heartbeat: 1h

Item prototypes for Storage discovery

Name Description Type Key and additional info
{#DISK.NAME}: Total disk space

MIB: CHECKPOINT-MIB

Total disk size in bytes.

Dependent item vfs.fs.total[multiDiskSize.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.7.6.1.3.{#SNMPINDEX}

  • Discard unchanged with heartbeat: 6h

{#DISK.NAME}: Used disk space

MIB: CHECKPOINT-MIB

Amount of disk used in bytes.

Dependent item vfs.fs.used[multiDiskUsed.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.7.6.1.4.{#SNMPINDEX}

{#DISK.NAME}: Free disk space

MIB: CHECKPOINT-MIB

Free disk capacity in bytes.

Dependent item vfs.fs.free[multiDiskFreeTotalBytes.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.7.6.1.5.{#SNMPINDEX}

{#DISK.NAME}: Available disk space

MIB: CHECKPOINT-MIB

Available free disk (not reserved by the OS) in bytes.

Dependent item vfs.fs.avail[multiDiskFreeAvailableBytes.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.7.6.1.7.{#SNMPINDEX}

{#DISK.NAME}: Disk space utilization

Space utilization calculated by the free percentage metric multiDiskFreeTotalPercent, expressed in %

Dependent item vfs.fs.pused[multiDiskUsagePercent.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.7.6.1.6.{#SNMPINDEX}

  • JavaScript: return 100 - Number(value);

Trigger prototypes for Storage discovery

Name Description Expression Severity Dependencies and additional info
{#DISK.NAME}: Disk space is critically low

Two conditions should match:
1. The first condition - utilization of the space should be above {$DISK.PUSED.MAX.CRIT:"{#DISK.NAME}"}.
2. The second condition should be one of the following:
- the disk free space is less than {$DISK.FREE.MIN.CRIT:"{#DISK.NAME}"};
- the disk will be full in less than 24 hours.

last(/Check Point Next Generation Firewall by SNMP/vfs.fs.pused[multiDiskUsagePercent.{#SNMPINDEX}])>{$DISK.PUSED.MAX.CRIT:"{#DISK.NAME}"} and (last(/Check Point Next Generation Firewall by SNMP/vfs.fs.total[multiDiskSize.{#SNMPINDEX}])-last(/Check Point Next Generation Firewall by SNMP/vfs.fs.used[multiDiskUsed.{#SNMPINDEX}]))<{$DISK.FREE.MIN.CRIT:"{#DISK.NAME}"} Average Manual close: Yes
{#DISK.NAME}: Disk space is low

Two conditions should match:
1. The first condition - utilization of the space should be above {$DISK.PUSED.MAX.WARN:"{#DISK.NAME}"}.
2. The second condition should be one of the following:
- the disk free space is less than {$DISK.FREE.MIN.WARN:"{#DISK.NAME}"};
- the disk will be full in less than 24 hours.

last(/Check Point Next Generation Firewall by SNMP/vfs.fs.pused[multiDiskUsagePercent.{#SNMPINDEX}])>{$DISK.PUSED.MAX.WARN:"{#DISK.NAME}"} and (last(/Check Point Next Generation Firewall by SNMP/vfs.fs.total[multiDiskSize.{#SNMPINDEX}])-last(/Check Point Next Generation Firewall by SNMP/vfs.fs.used[multiDiskUsed.{#SNMPINDEX}]))<{$DISK.FREE.MIN.WARN:"{#DISK.NAME}"} Warning Manual close: Yes
Depends on:
  • {#DISK.NAME}: Disk space is critically low

LLD rule Network interfaces discovery

Name Description Type Key and additional info
Network interfaces discovery

For discovering interfaces from IF-MIB.

Dependent item net.if.discovery

Preprocessing

  • SNMP walk to JSON

  • Discard unchanged with heartbeat: 1h

Item prototypes for Network interfaces discovery

Name Description Type Key and additional info
Interface {#IFNAME}({#IFALIAS}): Operational status

MIB: IF-MIB

The current operational state of the interface.

- The testing(3) state indicates that no operational packets can be passed.

- If ifAdminStatus is down(2), then ifOperStatus should be down(2).

- If ifAdminStatus is changed to up(1), then ifOperStatus should change to up(1) if the interface is ready to transmit and receive network traffic.

- It should change to dormant(5) if the interface is waiting for external actions (such as a serial line waiting for an incoming connection).

- It should remain in the down(2) state if and only if there is a fault that prevents it from going to the up(1) state.

- It should remain in the notPresent(6) state if the interface has missing (typically, hardware) components.

Dependent item net.if.status[ifOperStatus.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.2.1.2.2.1.8.{#SNMPINDEX}

Interface {#IFNAME}({#IFALIAS}): Bits received

MIB: IF-MIB

The total number of octets received on the interface, including framing characters. This object is a 64-bit version of ifInOctets.

Discontinuities in the value of this counter can occur at re-initialization of the management system and at other times as indicated by the value of ifCounterDiscontinuityTime.

Dependent item net.if.in[ifInOctets.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.2.1.31.1.1.1.6.{#SNMPINDEX}

  • Change per second
  • Custom multiplier: 8

Interface {#IFNAME}({#IFALIAS}): Bits sent

MIB: IF-MIB

The total number of octets transmitted out of the interface, including framing characters. This object is a 64-bit version of ifOutOctets.

Discontinuities in the value of this counter can occur at re-initialization of the management system and at other times as indicated by the value of ifCounterDiscontinuityTime.

Dependent item net.if.out[ifOutOctets.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.2.1.31.1.1.1.10.{#SNMPINDEX}

  • Change per second
  • Custom multiplier: 8

Interface {#IFNAME}({#IFALIAS}): Inbound packets with errors

MIB: IF-MIB

For packet-oriented interfaces - the number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol.

For character-oriented or fixed-length interfaces - the number of inbound transmission units that contained errors preventing them from being deliverable to a higher-layer protocol.

Discontinuities in the value of this counter can occur at re-initialization of the management system and at other times as indicated by the value of ifCounterDiscontinuityTime.

Dependent item net.if.in.errors[ifInErrors.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.2.1.2.2.1.14.{#SNMPINDEX}

  • Change per second
Interface {#IFNAME}({#IFALIAS}): Outbound packets with errors

MIB: IF-MIB

For packet-oriented interfaces - the number of outbound packets that contained errors preventing them from being deliverable to a higher-layer protocol.

For character-oriented or fixed-length interfaces - the number of outbound transmission units that contained errors preventing them from being deliverable to a higher-layer protocol.

Discontinuities in the value of this counter can occur at re-initialization of the management system and at other times as indicated by the value of ifCounterDiscontinuityTime.

Dependent item net.if.out.errors[ifOutErrors.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.2.1.2.2.1.20.{#SNMPINDEX}

  • Change per second
Interface {#IFNAME}({#IFALIAS}): Outbound packets discarded

MIB: IF-MIB

The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffer space.

Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ifCounterDiscontinuityTime.

Dependent item net.if.out.discards[ifOutDiscards.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.2.1.2.2.1.19.{#SNMPINDEX}

  • Change per second
Interface {#IFNAME}({#IFALIAS}): Inbound packets discarded

MIB: IF-MIB

The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffer space.

Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ifCounterDiscontinuityTime.

Dependent item net.if.in.discards[ifInDiscards.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.2.1.2.2.1.13.{#SNMPINDEX}

  • Change per second
Interface {#IFNAME}({#IFALIAS}): Interface type

MIB: IF-MIB

The type of interface.

Additional values for ifType are assigned by the Internet Assigned Numbers Authority (IANA) through updating the syntax of the IANAifType textual convention.

Dependent item net.if.type[ifType.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.2.1.2.2.1.3.{#SNMPINDEX}

  • Discard unchanged with heartbeat: 1d

Interface {#IFNAME}({#IFALIAS}): Speed

MIB: IF-MIB

An estimate of the interface's current bandwidth in units of 1,000,000 bits per second.

If this object reports a value of n, then the speed of the interface is somewhere in the range of n-500,000 to n+499,999.

For interfaces that do not vary in bandwidth or for those where no accurate estimation can be made, this object should contain the nominal bandwidth.

For a sub-layer which has no concept of bandwidth, this object should be zero.

Dependent item net.if.speed[ifSpeed.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.2.1.31.1.1.1.15.{#SNMPINDEX}

  • Custom multiplier: 1000000

  • Discard unchanged with heartbeat: 1h

Trigger prototypes for Network interfaces discovery

Name Description Expression Severity Dependencies and additional info
Interface {#IFNAME}({#IFALIAS}): Link down

This trigger expression works as follows:
1. It can be triggered if the interface link status is down.
2. {$NET.IF.CONTROL:"{#IFNAME}"}=1 - a user can redefine the context macro to "0", marking this interface as not important. No new trigger will be fired if this interface link is down.
3. {TEMPLATE_NAME:METRIC.diff()}=1 - the trigger fires only if the interface link status was up to "1" sometime before.

WARNING: If closed manually, it will not fire again on the next poll because of diff.

{$NET.IF.CONTROL:"{#IFNAME}"}=1 and last(/Check Point Next Generation Firewall by SNMP/net.if.status[ifOperStatus.{#SNMPINDEX}])=1 and (last(/Check Point Next Generation Firewall by SNMP/net.if.status[ifOperStatus.{#SNMPINDEX}],#1)<>last(/Check Point Next Generation Firewall by SNMP/net.if.status[ifOperStatus.{#SNMPINDEX}],#2)) Average Manual close: Yes
Interface {#IFNAME}({#IFALIAS}): High bandwidth usage

The utilization of the network interface is close to its estimated maximum bandwidth.

(avg(/Check Point Next Generation Firewall by SNMP/net.if.in[ifInOctets.{#SNMPINDEX}],15m)>({$NET.IF.UTIL.MAX:"{#IFNAME}"}/100)*last(/Check Point Next Generation Firewall by SNMP/net.if.speed[ifSpeed.{#SNMPINDEX}]) or avg(/Check Point Next Generation Firewall by SNMP/net.if.out[ifOutOctets.{#SNMPINDEX}],15m)>({$NET.IF.UTIL.MAX:"{#IFNAME}"}/100)*last(/Check Point Next Generation Firewall by SNMP/net.if.speed[ifSpeed.{#SNMPINDEX}])) and last(/Check Point Next Generation Firewall by SNMP/net.if.speed[ifSpeed.{#SNMPINDEX}])>0 Warning Manual close: Yes
Depends on:
  • Interface {#IFNAME}({#IFALIAS}): Link down
Interface {#IFNAME}({#IFALIAS}): High error rate

It recovers when it is below 80% of the {$NET.IF.ERRORS.WARN:"{#IFNAME}"} threshold.

min(/Check Point Next Generation Firewall by SNMP/net.if.in.errors[ifInErrors.{#SNMPINDEX}],5m)>{$NET.IF.ERRORS.WARN:"{#IFNAME}"} or min(/Check Point Next Generation Firewall by SNMP/net.if.out.errors[ifOutErrors.{#SNMPINDEX}],5m)>{$NET.IF.ERRORS.WARN:"{#IFNAME}"} Warning Manual close: Yes
Depends on:
  • Interface {#IFNAME}({#IFALIAS}): Link down
Interface {#IFNAME}({#IFALIAS}): Ethernet has changed to lower speed than it was before

This Ethernet connection has transitioned down from its known maximum speed. This might be a sign of autonegotiation issues. Acknowledge to close the problem manually.

change(/Check Point Next Generation Firewall by SNMP/net.if.speed[ifSpeed.{#SNMPINDEX}])<0 and last(/Check Point Next Generation Firewall by SNMP/net.if.speed[ifSpeed.{#SNMPINDEX}])>0 and ( last(/Check Point Next Generation Firewall by SNMP/net.if.type[ifType.{#SNMPINDEX}])=6 or last(/Check Point Next Generation Firewall by SNMP/net.if.type[ifType.{#SNMPINDEX}])=7 or last(/Check Point Next Generation Firewall by SNMP/net.if.type[ifType.{#SNMPINDEX}])=11 or last(/Check Point Next Generation Firewall by SNMP/net.if.type[ifType.{#SNMPINDEX}])=62 or last(/Check Point Next Generation Firewall by SNMP/net.if.type[ifType.{#SNMPINDEX}])=69 or last(/Check Point Next Generation Firewall by SNMP/net.if.type[ifType.{#SNMPINDEX}])=117 ) and (last(/Check Point Next Generation Firewall by SNMP/net.if.status[ifOperStatus.{#SNMPINDEX}])<>2) Info Manual close: Yes
Depends on:
  • Interface {#IFNAME}({#IFALIAS}): Link down

LLD rule Temperature discovery

Name Description Type Key and additional info
Temperature discovery

For discovering temperature sensors from CHECKPOINT-MIB.

Dependent item temperature.discovery

Preprocessing

  • SNMP walk to JSON

  • Discard unchanged with heartbeat: 1h

Item prototypes for Temperature discovery

Name Description Type Key and additional info
{#SENSOR.NAME}: Temperature

MIB: CHECKPOINT-MIB

Current temperature reading in degrees Celsius from the hardware component's temperature sensor.

Dependent item sensor.temp.value[tempertureSensorValue.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.{#SNMPINDEX}

Trigger prototypes for Temperature discovery

Name Description Expression Severity Dependencies and additional info
{#SENSOR.NAME}: Temperature is above critical threshold

This trigger uses temperature sensor values.

avg(/Check Point Next Generation Firewall by SNMP/sensor.temp.value[tempertureSensorValue.{#SNMPINDEX}],5m)>{$TEMP.VALUE.CRIT:"{#SENSOR.NAME}"} High
{#SENSOR.NAME}: Temperature is above warning threshold

This trigger uses temperature sensor values.

avg(/Check Point Next Generation Firewall by SNMP/sensor.temp.value[tempertureSensorValue.{#SNMPINDEX}],5m)>{$TEMP.VALUE.WARN:"{#SENSOR.NAME}"} Warning Depends on:
  • {#SENSOR.NAME}: Temperature is above critical threshold
{#SENSOR.NAME}: Temperature is too low

This trigger uses temperature sensor values.

avg(/Check Point Next Generation Firewall by SNMP/sensor.temp.value[tempertureSensorValue.{#SNMPINDEX}],5m)<{$TEMP.VALUE.LOW:"{#SENSOR.NAME}"} Average

LLD rule FAN discovery

Name Description Type Key and additional info
FAN discovery

For discovering fan sensors from CHECKPOINT-MIB.

Dependent item fan.discovery

Preprocessing

  • SNMP walk to JSON

  • Discard unchanged with heartbeat: 1h

Item prototypes for FAN discovery

Name Description Type Key and additional info
FAN {#SNMPINDEX}: Fan status

MIB: CHECKPOINT-MIB

Current status of the fan tray.

Dependent item sensor.fan.status[fanSpeedSensorStatus.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.7.8.2.1.6.{#SNMPINDEX}

FAN {#SNMPINDEX}: Fan speed

MIB: CHECKPOINT-MIB

Current speed of the fan.

Dependent item sensor.fan.speed[fanSpeedSensorValue.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.{#SNMPINDEX}

Trigger prototypes for FAN discovery

Name Description Expression Severity Dependencies and additional info
FAN {#SNMPINDEX}: Fan speed is out of range

Please check the fan unit.

count(/Check Point Next Generation Firewall by SNMP/sensor.fan.status[fanSpeedSensorStatus.{#SNMPINDEX}],#3,"eq",1)=3 Average

LLD rule Voltage discovery

Name Description Type Key and additional info
Voltage discovery

For discovering voltage sensors from CHECKPOINT-MIB.

Dependent item voltage.discovery

Preprocessing

  • SNMP walk to JSON

  • Discard unchanged with heartbeat: 1h

Item prototypes for Voltage discovery

Name Description Type Key and additional info
{#SENSOR.NAME}: Voltage value

MIB: CHECKPOINT-MIB

Most recent measurement obtained by the agent for this sensor.

Dependent item sensor.volt.value[voltageSensorValue.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.{#SNMPINDEX}

LLD rule PSU discovery

Name Description Type Key and additional info
PSU discovery

For discovering power supply sensors from CHECKPOINT-MIB.

Dependent item psu.discovery

Preprocessing

  • SNMP walk to JSON

  • Discard unchanged with heartbeat: 1h

Item prototypes for PSU discovery

Name Description Type Key and additional info
PSU {#SNMPINDEX}: Power supply status

MIB: CHECKPOINT-MIB

Power supply status.

Dependent item sensor.psu.status[powerSupplyStatus.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.7.9.1.1.2.{#SNMPINDEX}

  • JavaScript: The text is too long. Please see the template.

  • Discard unchanged with heartbeat: 1h

Trigger prototypes for PSU discovery

Name Description Expression Severity Dependencies and additional info
PSU {#SNMPINDEX}: Power supply is in down state

Please check the power supply unit for errors.

count(/Check Point Next Generation Firewall by SNMP/sensor.psu.status[powerSupplyStatus.{#SNMPINDEX}],#3,"eq",1)=3 Average

LLD rule Software blades discovery

Name Description Type Key and additional info
Software blades discovery

For discovering software blades and features from CHECKPOINT-MIB.

Dependent item svn.sw.discovery

Preprocessing

  • SNMP walk to JSON

  • Discard unchanged with heartbeat: 1h

Item prototypes for Software blades discovery

Name Description Type Key and additional info
{#SW.NAME}: License state

MIB: CHECKPOINT-MIB

Current license state of the software blade.

Dependent item svn.sw.license.state[licensingState.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.18.1.1.5.{#SNMPINDEX}

  • Discard unchanged with heartbeat: 6h

{#SW.NAME}: License expiration date

MIB: CHECKPOINT-MIB

Expiration date for the license of the software blade. Doesn't return a value if the license doesn't have an expiration date.

Dependent item svn.sw.license.exp_date[licensingExpirationDate.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.18.1.1.6.{#SNMPINDEX}

  • Does not match regular expression: ^0$

    ⛔️Custom on fail: Discard value

  • Discard unchanged with heartbeat: 6h

{#SW.NAME}: Software blade status

MIB: CHECKPOINT-MIB

Current software blade status.

Dependent item svn.sw.status[licensingBladeActive.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.18.1.1.8.{#SNMPINDEX}

  • Discard unchanged with heartbeat: 1h

{#SW.NAME}: License total quota

MIB: CHECKPOINT-MIB

Total quota amount for the license of the software blade.

Dependent item svn.sw.license.quota.total[licensingTotalQuota.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.18.1.1.9.{#SNMPINDEX}

  • Discard unchanged with heartbeat: 6h

{#SW.NAME}: License used quota

MIB: CHECKPOINT-MIB

Used quota amount for the license of the software blade.

Dependent item svn.sw.license.quota.used[licensingUsedQuota.{#SNMPINDEX}]

Preprocessing

  • SNMP walk value: 1.3.6.1.4.1.2620.1.6.18.1.1.10.{#SNMPINDEX}

  • Discard unchanged with heartbeat: 1h

Trigger prototypes for Software blades discovery

Name Description Expression Severity Dependencies and additional info
{#SW.NAME}: License expires soon

This trigger expression works as follows:
1. It can be triggered if the license expires soon.
2. {$LICENSE.CONTROL:"{#SW.NAME}"}=1 - a user can redefine the context macro to "0", marking the current license as not important. No new trigger will be fired if this license expires.

{$LICENSE.CONTROL:"{#SW.NAME}"}=1 and (last(/Check Point Next Generation Firewall by SNMP/svn.sw.license.exp_date[licensingExpirationDate.{#SNMPINDEX}]) - now()) / 86400 < {$LICENSE.EXPIRY.WARN:"{#SW.NAME}"} and last(/Check Point Next Generation Firewall by SNMP/svn.sw.license.exp_date[licensingExpirationDate.{#SNMPINDEX}]) > now() Warning Manual close: Yes
{#SW.NAME}: License has been expired

This trigger expression works as follows:
1. It can be triggered if the license has been expired.
2. {$LICENSE.CONTROL:"{#SW.NAME}"}=1 - a user can redefine the context macro to "0", marking the current license as not important. No new trigger will be fired if this license is expired.

{$LICENSE.CONTROL:"{#SW.NAME}"}=1 and (last(/Check Point Next Generation Firewall by SNMP/svn.sw.license.exp_date[licensingExpirationDate.{#SNMPINDEX}]) - now()) / 86400 < now() Average Manual close: Yes

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template, or ask for help at ZABBIX forums

Articles and documentation

+ Propose new article

Didn't find what you are looking for?