Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1556 Views 9 Replies Latest reply: May 11, 2013 8:29 AM by PhilM RSS
digistras Newcomer 5 posts since
May 8, 2013
Currently Being Moderated

May 8, 2013 11:32 AM

SNMP Configuration Config Help

Hi all,

 

We have a 2x SideWinder (HA Cluster) running on version 4.0.0.04 and there is a need to configure SNMP on the SideWinder for polling and traps. I have read the SNMP configuration on the Administration Guide (for version 6.1.1 as could not find the guide for 4.0.0.04) and I'm still confused on how I should configure SNMP on the SideWinder to enable polling. I need help on the following statements from the guide:

 

1. "The SNMP agent may be enabled in any single burb that is not the

Firewall burb."

 

Q. What does it mean by Firewall burb? Is there even a burb for Firewall?

 

 

2. "To allow SNMP management stations that reside in other burbs for the SNMP agent, you must create an allow rule for SNMP and enable the SNMP proxy in the appropriate burb(s)."

 

Q. We have a internal NMS for internal polling and trap of the SideWinder and its IP address is in our burb named "Tier2". We also have a external NMS to poll and trap the SideWinder and its IP address is outside of or network range. For all traffic that is destined for outside or range will have to go through the burb named "I-Net"

 

Q. So with this setup, how should I configure the SNMP agent and SNMP proxy? Which Burb will use what?

 

 

3. "Enabling/disabling the SNMP server

 

Perform the following steps to enable or disable the SNMP server.

 

1. In the Admin Console select Services Configuration -> Servers.

 

2. Select snmpd from the list of server names, and then click the Control tab.

 

3. Select the burb for which the SNMP agent will be enabled or disabled. The SNMP agent can only be enabled for one burb, and it cannot be enabled for the Firewall burb.

 

4. Click the Save icon."

 

Q. I don't see "Services Configuration -> Servers." and the "Control tab." on my SideWinder at all. Need help on where to find these options or how to enable the SNMP Server on my SideWinder.

 

 

Appreciate if anyone can help. Thanks in advance!

  • sliedl McAfee SME 536 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. May 8, 2013 11:34 AM (in response to digistras)
    Re: SNMP Configuration Config Help

    If you really are at version 6 of the firewall you need to upgrade right now as it is no longer supported.


    Once you get to 70103 we can help you.

  • PhilM Champion 528 posts since
    Jan 7, 2010
    Currently Being Moderated
    2. May 8, 2013 2:51 PM (in response to digistras)
    Re: SNMP Configuration Config Help

    Whilte I am personally unable to answer your SNMP-related questions, I can answer one question. Yes there is a Firewall burb. Though you can't see it in the GUI, if you connect to the command line and run the "region" command you will see all of your burbs listed along with a numeric reference against each. You will notice that there is acutally a burb 0 and this is the Firewall burb.

     

    Otherwise sliedl is correct. The version 6 product (the last one to be exclusively called Sidewinder). The version you appear to be running (6.1.1 - the 4.0.0.04 is the version number for the Admin GUI) went out of support in April 2008!

     

    6.1.2 had an EOL date of Dec 2009.

     

    The next version (v7) which became Firewall Enterprise is still in support at version 7.0.1.03 and there is now an all-new Firewall Enterprise product (v8) which is already at 8.3.0.

     

    Which version you are able to upgrade to is also dictated by which appliance model you are running. If you look at the following link you will be able to see if your hardware is still in support (which, judging from the version of software you are running, seems unlikely) and which version of the Firewall product it will be able to run.

     

    http://www.mcafee.com/us/support/support-eol-appliances.aspx#appl_firewall

     

    The D model appliances have just gone end of life in the last couple of weeks, but the looks of it.

     

    -Phil.

  • sliedl McAfee SME 536 posts since
    Nov 3, 2009
    Currently Being Moderated
    3. May 8, 2013 2:58 PM (in response to digistras)
    Re: SNMP Configuration Config Help

    You can go to this website, http://go.mcafee.com/patch.cfm?productid=side&version=701, enter your serial number, and the v6 to v7 upgrade and the v70007 to 70100 upgrade instructions are there.

     

    This KB has the v7 to v8 upgrade instructions:  KB75362.

  • PhilM Champion 528 posts since
    Jan 7, 2010
    Currently Being Moderated
    6. May 10, 2013 4:35 AM (in response to digistras)
    Re: SNMP Configuration Config Help

    Basically it means that you have an existing service in use (looks like it's called UDP_162) which is preventing the snmp proxy service from starting.

     

    In v6 it was necessary to enable each service in the proxy screen in order for the firewall to start a process to listen on the defined TCP/UDP ports. If you tried to enable a service which used ports already in use, you would be unable to do so.

     

    Since v7, it is no longer necessary to enable the services yourself - they are enabled automatically when a rule is created using that service. However the same basic rule applies (two into one won't go) and you can't have multiple services trying to use the same ports.

     

    You are left with two choices:-

     

    1. Don't use the snmp service in your new rule and use the UDP_162 service (along with another user-defined service for UDP port 161).
    2. Find the rule currently using the service UDP_162 and modify it to use the snmp proxy service instead.

     

    The problem you may have with option 2 is if the rule is using a user-defined service because, as a protocol-level aware service, using the snmp proxy wouldn't work as the traffic actually passing through this rule isn't snmp.

     

    -Phil.

     

    p.s. While 7.0.1.02 is somewhat better than the version you thought you were running, it still has a relatively short life span (EOL in September 2013). As to your customer's approach, I have encountered that numerous times, but it is a double-edged sword. While the "if it isn't broke..." philosophy means that a certain status quo can be maintained, those who abide by that are normally the first to raise mery hell when a genuine problem does arise.

     

    Working with numerous vendors myself, I know what the first questing is going to be when reporting any problem - "is it running the latest version?". 9 times out of 10 by keeping the product up-to-date, you will probably avoid most common product issues. Plus if you do have a legitimate issue and the product is up-to-date, as long as you have a support contract in place, the vendor is then in a position to do something about it.

     

    Message was edited by: PhilM on 10/05/13 10:35:49 IST
  • PhilM Champion 528 posts since
    Jan 7, 2010
    Currently Being Moderated
    9. May 11, 2013 8:30 AM (in response to digistras)
    Re: SNMP Configuration Config Help

    As I said from the outset, I'm not really in a position to answer snmp-specific questions. The only observation I can make regarding the rules in general is that you have created them to cross burb boundaries (I-Net to internal and Mgmt_Tier to internal), but then say ask whether this will allow your NMS station to poll you Sidewidner. Given that the rules are designed to pass traffic *through* the Firewall, I would say the answer is no. If you want to poll the Sidewinder I would expect the rules to terminate on the same burb and this would then indicate that you are expecting to talk *to*, rather than *through* Sidewinder.

     

    Maybe you will be able to find better answers using the McAfee knowledge base (located at https://mysupport.mcafee.com). There's a good chance you will find SNMP-related articles for Sidwinder (or McAfee Firewall Enterprise, as it is now called) version 7.

     

     

    We do have a few user-defined rules that are using the UDP_162 (udp162) service and my investigation tells me that they are all for SNMP traffic.

     

    If I understand you correctly,

     

    1. I'll need to change UDP_162 (udp162) to snmp (SNMP Proxy) and it should not affect the rules that require SNMP traffic?

     

     

    As long as the traffic passing is SNMP, as you say, then changing the service in these rules will then allow you to create your new rule using the snmp proxy service. Given the snmp service is available 'out of the box' so to speak, I can only wonder if there was a reason why user-defined services were chosen before.

     

    Message was edited by: PhilM on 11/05/13 14:30:52 IST

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points