9 Replies Latest reply: May 11, 2013 8:30 AM by PhilM RSS

    SNMP Configuration Config Help

    digistras

      Hi all,

       

      We have a 2x SideWinder (HA Cluster) running on version 4.0.0.04 and there is a need to configure SNMP on the SideWinder for polling and traps. I have read the SNMP configuration on the Administration Guide (for version 6.1.1 as could not find the guide for 4.0.0.04) and I'm still confused on how I should configure SNMP on the SideWinder to enable polling. I need help on the following statements from the guide:

       

      1. "The SNMP agent may be enabled in any single burb that is not the

      Firewall burb."

       

      Q. What does it mean by Firewall burb? Is there even a burb for Firewall?

       

       

      2. "To allow SNMP management stations that reside in other burbs for the SNMP agent, you must create an allow rule for SNMP and enable the SNMP proxy in the appropriate burb(s)."

       

      Q. We have a internal NMS for internal polling and trap of the SideWinder and its IP address is in our burb named "Tier2". We also have a external NMS to poll and trap the SideWinder and its IP address is outside of or network range. For all traffic that is destined for outside or range will have to go through the burb named "I-Net"

       

      Q. So with this setup, how should I configure the SNMP agent and SNMP proxy? Which Burb will use what?

       

       

      3. "Enabling/disabling the SNMP server

       

      Perform the following steps to enable or disable the SNMP server.

       

      1. In the Admin Console select Services Configuration -> Servers.

       

      2. Select snmpd from the list of server names, and then click the Control tab.

       

      3. Select the burb for which the SNMP agent will be enabled or disabled. The SNMP agent can only be enabled for one burb, and it cannot be enabled for the Firewall burb.

       

      4. Click the Save icon."

       

      Q. I don't see "Services Configuration -> Servers." and the "Control tab." on my SideWinder at all. Need help on where to find these options or how to enable the SNMP Server on my SideWinder.

       

       

      Appreciate if anyone can help. Thanks in advance!

        • 1. Re: SNMP Configuration Config Help
          sliedl

          If you really are at version 6 of the firewall you need to upgrade right now as it is no longer supported.


          Once you get to 70103 we can help you.

          • 2. Re: SNMP Configuration Config Help
            PhilM

            Whilte I am personally unable to answer your SNMP-related questions, I can answer one question. Yes there is a Firewall burb. Though you can't see it in the GUI, if you connect to the command line and run the "region" command you will see all of your burbs listed along with a numeric reference against each. You will notice that there is acutally a burb 0 and this is the Firewall burb.

             

            Otherwise sliedl is correct. The version 6 product (the last one to be exclusively called Sidewinder). The version you appear to be running (6.1.1 - the 4.0.0.04 is the version number for the Admin GUI) went out of support in April 2008!

             

            6.1.2 had an EOL date of Dec 2009.

             

            The next version (v7) which became Firewall Enterprise is still in support at version 7.0.1.03 and there is now an all-new Firewall Enterprise product (v8) which is already at 8.3.0.

             

            Which version you are able to upgrade to is also dictated by which appliance model you are running. If you look at the following link you will be able to see if your hardware is still in support (which, judging from the version of software you are running, seems unlikely) and which version of the Firewall product it will be able to run.

             

            http://www.mcafee.com/us/support/support-eol-appliances.aspx#appl_firewall

             

            The D model appliances have just gone end of life in the last couple of weeks, but the looks of it.

             

            -Phil.

            • 3. Re: SNMP Configuration Config Help
              sliedl

              You can go to this website, http://go.mcafee.com/patch.cfm?productid=side&version=701, enter your serial number, and the v6 to v7 upgrade and the v70007 to 70100 upgrade instructions are there.

               

              This KB has the v7 to v8 upgrade instructions:  KB75362.

              • 4. Re: SNMP Configuration Config Help
                digistras

                I hate to say this but to upgrade our current version to v7 is not something I can decide or control. The customer and people that I work with are not very easy to handle or convinced to perform the upgrade. I have raised upgrade benefits and advantages to them before but only came back with 1 reply:

                 

                "If it ain't broken, don't fix it"

                 

                Therefore I'm really kind of stucked in this situation and my choices are limited. I really hope that I can get help on the SNMP issue stated on my 1st post w/o upgrading.

                • 5. Re: SNMP Configuration Config Help
                  digistras

                  Hey guys, I just found out that our Sidewinder Version is actually v7.0.1.02!

                   

                  My bad for the error n confusion earlier.

                   

                  Now I encountered another issue when trying to create a new rule for SNMP Proxy. The error says:

                   

                  "Error encountered while modifying rule data: TSWParameterError: A port conflict exists on ports ['161'] between service (snmp) and service (UDP_162)"

                   

                  Although is pretty obvious what the error meant, but I still don't understand the error.

                   

                  Anyone able to help please?

                  • 6. Re: SNMP Configuration Config Help
                    PhilM

                    Basically it means that you have an existing service in use (looks like it's called UDP_162) which is preventing the snmp proxy service from starting.

                     

                    In v6 it was necessary to enable each service in the proxy screen in order for the firewall to start a process to listen on the defined TCP/UDP ports. If you tried to enable a service which used ports already in use, you would be unable to do so.

                     

                    Since v7, it is no longer necessary to enable the services yourself - they are enabled automatically when a rule is created using that service. However the same basic rule applies (two into one won't go) and you can't have multiple services trying to use the same ports.

                     

                    You are left with two choices:-

                     

                    1. Don't use the snmp service in your new rule and use the UDP_162 service (along with another user-defined service for UDP port 161).
                    2. Find the rule currently using the service UDP_162 and modify it to use the snmp proxy service instead.

                     

                    The problem you may have with option 2 is if the rule is using a user-defined service because, as a protocol-level aware service, using the snmp proxy wouldn't work as the traffic actually passing through this rule isn't snmp.

                     

                    -Phil.

                     

                    p.s. While 7.0.1.02 is somewhat better than the version you thought you were running, it still has a relatively short life span (EOL in September 2013). As to your customer's approach, I have encountered that numerous times, but it is a double-edged sword. While the "if it isn't broke..." philosophy means that a certain status quo can be maintained, those who abide by that are normally the first to raise mery hell when a genuine problem does arise.

                     

                    Working with numerous vendors myself, I know what the first questing is going to be when reporting any problem - "is it running the latest version?". 9 times out of 10 by keeping the product up-to-date, you will probably avoid most common product issues. Plus if you do have a legitimate issue and the product is up-to-date, as long as you have a support contract in place, the vendor is then in a position to do something about it.

                     

                    Message was edited by: PhilM on 10/05/13 10:35:49 IST
                    • 7. Re: SNMP Configuration Config Help
                      digistras

                      I appreciate all the help given to me so far and at this stage, I just like to take a step back and confirm if I have understand the SNMP rule configuration correctly. I'll just give a brief setup of our required SNMP layout and what I have created so far:

                       

                      1. Internal SNMP Station

                       

                      IP Address: 172.24.250.247

                      Burb in which this IP reside in: Mgmt_Tier

                      Rule that I have created for internal SNMP Station:

                       

                      ServiceSource BurbSource IPDestination BurbDestination IP
                      snmpd (SNMP Agent)Mgmt_Tier172.24.250.247internal<any>

                       

                      Results: Internal SNMP Station is able to poll the SideWinder for equipment information.

                       

                      2. External SNMP Station

                       

                      IP Address: 172.18.152.91 (IP that is outside of our network range)

                      Burb in which this IP reside in: I-Net (This burb is where all external traffic goes in and out)

                      Rule that I have created for external SNMP Station:

                       

                      ServiceSource BurbSource IPDestination BurbDestination IP
                      snmp (SNMP Proxy)I-Net172.18.152.91internal<any>

                       

                      Results: Following error occurred:

                       

                      "Error encountered while modifying rule data: TSWParameterError: A port conflict exists on ports ['161'] between service (snmp) and service (UDP_162)"

                      P.S Pls ignore the error for now

                       

                       

                      Are the above rules creation correct?

                       

                      Message was edited by: digistras on 5/11/13 2:48:32 AM CDT
                      • 8. Re: SNMP Configuration Config Help
                        digistras

                        Hey PhilM,

                         

                        "2.  Find the rule currently using the service UDP_162 and modify it to use the snmp proxy service instead.

                         

                        The problem you may have with option 2 is if the rule is using a user-defined service because, as a protocol-level aware service, using the snmp proxy wouldn't work as the traffic actually passing through this rule isn't snmp."

                         

                        We do have a few user-defined rules that are using the UDP_162 (udp162) service and my investigation tells me that they are all for SNMP traffic.

                         

                        If I understand you correctly,

                         

                        1. I'll need to change UDP_162 (udp162) to snmp (SNMP Proxy) and it should not affect the rules that require SNMP traffic?

                         

                        2. Also in this case, I should be able to create a rule (with no errors) using SNMP Proxy service to allow the external NMS station to poll my SideWInder?

                         

                        Message was edited by: digistras on 5/11/13 3:02:00 AM CDT

                         

                        Message was edited by: digistras on 5/11/13 3:04:11 AM CDT
                        • 9. Re: SNMP Configuration Config Help
                          PhilM

                          As I said from the outset, I'm not really in a position to answer snmp-specific questions. The only observation I can make regarding the rules in general is that you have created them to cross burb boundaries (I-Net to internal and Mgmt_Tier to internal), but then say ask whether this will allow your NMS station to poll you Sidewidner. Given that the rules are designed to pass traffic *through* the Firewall, I would say the answer is no. If you want to poll the Sidewinder I would expect the rules to terminate on the same burb and this would then indicate that you are expecting to talk *to*, rather than *through* Sidewinder.

                           

                          Maybe you will be able to find better answers using the McAfee knowledge base (located at https://mysupport.mcafee.com). There's a good chance you will find SNMP-related articles for Sidwinder (or McAfee Firewall Enterprise, as it is now called) version 7.

                           

                           

                          We do have a few user-defined rules that are using the UDP_162 (udp162) service and my investigation tells me that they are all for SNMP traffic.

                           

                          If I understand you correctly,

                           

                          1. I'll need to change UDP_162 (udp162) to snmp (SNMP Proxy) and it should not affect the rules that require SNMP traffic?

                           

                           

                          As long as the traffic passing is SNMP, as you say, then changing the service in these rules will then allow you to create your new rule using the snmp proxy service. Given the snmp service is available 'out of the box' so to speak, I can only wonder if there was a reason why user-defined services were chosen before.

                           

                          Message was edited by: PhilM on 11/05/13 14:30:52 IST