1 Reply Latest reply on Jul 27, 2015 3:43 PM by thyvarin

    Problem with SNMP Traps NGFW

    layer0

      Hello

       

      I have the following Issue, i configured the SNMP Traps like the guide "Stonesoft Administrators Guide",

      I configured the SNMP Agent,

       

      SNMP Agent.PNG

       

      I configured the Engine

       

      SNMP Agent 2.PNG

       

      Also i configured the alerts. I receive emails with the alert and also i can check alerts in the SMC, but i don't receive any alert by SNMP. I tried capturing packets (tcpdump to port 162) from the Manager but i don't see any communication.

       

      What can be wrong? is there any logs i can check?

       

      Thanks

        • 1. Re: Problem with SNMP Traps NGFW
          thyvarin

          Hi,

           

          Trap sending should work just fine as long as you installed policy after enabling the SNMP trap sending. I tested in lab by creating entry to send traps to one of the lab SMC linux servers, and with tcpdump, I can see that NGFW engine sent traps. There's no SNMP software installed on linux server so nothing is actually listening and receiving the traffic, but I just wanted to verify that traps are sent after I enable SNMP trap sending on the NGFW cluster properties and install policy.

           

          Here's what I did:

           

          [root@fw-smc58-1 ~]# ssh root@172.22.x.x

          Password:

          root@fw-sg-59-1:~# sg-cluster offline

          root@fw-sg-59-1:~# sg-cluster online

          root@fw-sg-59-1:~# exit

          logout

           

          And I could see 4 incoming traps:

           

          [root@fw-smc58-1 ~]# tcpdump -nnnvpi eth0 port 162

          tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

          15:34:22.263896 IP (tos 0x0, ttl 64, id 20112, offset 0, flags [DF], proto UDP (17), length 161)

              172.22.x.x.161 > 172.22.y.y.162:  { SNMPv2c C=community1 { V2Trap(113) R=663  .1.3.6.1.2.1.1.3.0=296280706 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.1369.6.1.2.0.5 .1.3.6.1.4.1.1369.6.1.1.5.0="User root started sshd session on ssh" } }

          15:34:31.834298 IP (tos 0x0, ttl 64, id 20726, offset 0, flags [DF], proto UDP (17), length 124)

              172.22.x.x.161 > 172.22.y.y.162:  { SNMPv2c C=community1 { V2Trap(77) R=664  .1.3.6.1.2.1.1.3.0=296281663 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.1369.6.1.2.0.2 .1.3.6.1.4.1.1369.6.1.1.3.0=5 } }

          15:34:39.054068 IP (tos 0x0, ttl 64, id 21200, offset 0, flags [DF], proto UDP (17), length 124)

              172.22.x.x.161 > 172.22.y.y.162:  { SNMPv2c C=community1 { V2Trap(77) R=665  .1.3.6.1.2.1.1.3.0=296282385 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.1369.6.1.2.0.1 .1.3.6.1.4.1.1369.6.1.1.3.0=1 } }

          15:34:41.968522 IP (tos 0x0, ttl 64, id 21255, offset 0, flags [DF], proto UDP (17), length 162)

              172.22.x.x.161 > 172.22.y.y.162:  { SNMPv2c C=community1 { V2Trap(114) R=666  .1.3.6.1.2.1.1.3.0=296282677 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.1369.6.1.2.0.9 .1.3.6.1.4.1.1369.6.1.1.5.0="User root finished sshd session on ssh" } }

           

          You can enable SNMP Monitoring diagnostics logging to make NGFW engine generate more verbose logging (right-click cluster/single-node level element --> "Options" --> "Diagnostics" --> "SNMP Monitoring". After enabling this, you should see more detailed logs in SMC log browser regarding the SNMP operation. Note that afterwards you should disable any unnecessary diagnostics logging as those can be quite verbose.

           

          BR,

          Tero