Home  Prev  cOS Core 15.00.01 Administration Guide  Next

2.5. SNMP

2.5.1. Management with SNMP

Simple Network Management Protocol (SNMP) is a standardized protocol for management of network devices. An SNMP compliant client can connect to a network device which supports the SNMP protocol to perform management tasks. cOS Core supports access by SNMP clients using the following versions of the SNMP protocol:

  • Version 1.
  • Version 2c.
  • Version 3.

However, only query operations are permitted by clients for security reasons. Specifically, cOS Core supports the following SNMP request operations:

  • The GET REQUEST operation.
  • The GET NEXT REQUEST operation.
  • The GET BULK REQUEST operation (SNMP Version 2c and 3 only).

Setting up SNMP Access in cOS Core

To allow access by an SNMP client, a Remote Management object of the type SNMP Management object must be created in the cOS Core configuration. This object has the following properties:

  • Protocol - Select Version 1 and 2c (the default) or select Version 3.

  • Interface - The cOS Core interface on which SNMP requests will arrive.

  • Network - The IP address or network from which SNMP requests will come.

The other SNMP Management object properties are for security and depend on the SNMP protocol choice. These are explained next.

SNMP Security Options

The following are the security options, depending on which protocol is selected:

  • Versions 1 and 2c

    Authentication for SNMP Versions 1 and 2c uses the Community String property. The Community String is equivalent to a password and should be difficult to guess. It should be constructed in the same way as any other password, using combinations of upper and lower case letters along with digits.

    SNMP versions 1 and 2c do not provide any option for encryption and traffic is sent as plain text. For this reason, SNMP version 3 is often a better choice. If SNMP version 1 or version 2c must be used, it is possible to send the SNMP connection through a VPN tunnel that is established between the client computer and the Clavister firewall.

  • Version 3

    If SNMPv3 is selected for the protocol, it is then possible to set the Security Level property. This can take the following values:

    1. noAuthNoPriv - No authentication and no encryption.

    2. authNoPriv - SHA-1 authentication but no encryption.

    3. authPriv - SHA-1 authentication and AES encryption.

    If authentication is enabled, a Local User Database object must be selected which contains the valid username/password pairs that can be used for client access. Often the predefined AdminUsers database is sufficient if an administrator or auditor username/password combination will be used as the SNMPv3 credentials.

    If encryption is enabled, cOS Core will use only AES encryption. cOS Core does not support DES encryption (as specified in the SNMPv3 RFC) as this is generally now considered to offer inferior security.

The cOS Core MIB Files

An important component required by any SNMP client are MIB files. A Management Information Base (MIB) is a database, usually in the form of a plain text file, that defines the parameters on a network device that an SNMP client can access.

The MIB files for cOS Core are contained within cOS Core itself. They are stored in the cOS Core folder called SNMP_MIB and have the following names:

  • CLAVISTER-MIB.mib
  • CLAVISTER-SMI.mib
  • CLAVISTER-TRAPS-MIB.mib

Downloading MIB Files

The files listed above can be downloaded directly from cOS Core to a management computer's local disk, either using the Web Interface or Secure Copy (SCP). To do this with the Web Interface, go to Status > Maintenance > Resources.

If using an SCP client, a typical command line for download might be the following: 

> pscp -l admin -pw admin 192.168.1.17:SNMP_MIB/CLAVISTER-MIB.mib .

Once on the disk storage of a management computer, the files can be imported by the SNMP client software.

MIB downloading is also discussed in an article in the Clavister Knowledge Base at the following link:

https://kb.clavister.com/324735750

MIB Entries

Each entry in the MIB includes a textual explanation of what the value is and a complete list is not reproduced in this guide. A typical MIB file entry for the total number of packets transmitted by an interface appears as follows: 
clvIfPktsTotCnt OBJECT-TYPE
  SYNTAX      Counter32
  MAX-ACCESS  read-only
  STATUS      current
  DESCRIPTION "Total number of packets transmitted by the interface"
               ::= { clvIfStatsEntry 10 }

Enabling IP Rule Set Checking for SNMP

The advanced setting SNMP Before Rules controls if all accesses by SNMP clients are checked against the IP rule set. By default, this is enabled and the recommendation is to always have this setting enabled.

The effect of enabling this setting is to add an invisible Allow rule at the top of the IP rule set which automatically permits accesses on port 161 from the network and on the interface specified for SNMP access. Port 161 is usually used for SNMP and cOS Core always expects SNMP traffic on that port.

Preventing SNMP Overload

The advanced setting SNMP Request Limit restricts the number of SNMP requests allowed per second. This can help prevent attacks through SNMP overload.

Example 2.34. Enabling SNMP Versions 1 and 2c Monitoring

This example enables SNMP version 1 and 2c access via the lan interface from the network mgmt-net using the community string Mg1RQqR.

Since the management client is on the internal network, there is no need for it to communicate via a VPN tunnel.

Command-Line Interface

Device:/> add RemoteManagement RemoteMgmtSNMP my_snmp_v1-2
			Interface=lan
			Network=mgmt-net
			SNMPGetCommunity=Mg1RQqR
Should it be necessary to enable SNMP Before Rules (which is enabled by default) then the command is: 
Device:/> set Settings RemoteMgmtSettings SNMPBeforeRules=Yes

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

  1. Go to: System > Device > Remote Management > Add > SNMP Management
  2. Now enter:
    • Name: my_snmp_v1-2
    • SNMP Version: SNMPv1 and SNMPv2c

  3. For Access Filter enter:

    • Interface: lan
    • Network: mgmt-net

  4. For Authentication enter:

    • Community: Mg1RQqR
  5. Click OK

Should it be necessary to enable SNMP Before Rules (which is enabled by default) then the setting can be found in System > Device > Remote Management > Advanced Settings.

Example 2.35. Enabling SNMP Version 3 Monitoring

This example is similar to the SNMP versions 1 and 2c example above, but uses SNMP version 3 instead. It enables SNMPv3 access via the lan interface from the network mgmt-net. Both SNMPv3 authentication and encryption will be enabled and authentication will be done using the local database called AdminUsers.

Command-Line Interface

Device:/> add RemoteManagement RemoteMgmtSNMP my_snmp_v3
			Interface=lan
			Network=mgmt-net
			SNMPversion=SNMPv3
			LocalUserDatabase=AdminUsers
			Snmp3SecurityLevel=authPriv
Should it be necessary to enable SNMP Before Rules (which is enabled by default) then the command is: 
Device:/> set Settings RemoteMgmtSettings SNMPBeforeRules=Yes

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

  1. Go to: System > Device > Remote Management > Add > SNMP Management
  2. Now enter:
    • Name: my_snmp_v3
    • SNMP Version: SNMPv3
    • Security Level: authPriv

  3. For Access Filter enter:

    • Interface: lan
    • Network: mgmt-net

  4. For Authentication enter:

    • Local User Database: AdminUsers
  5. Click OK

Should it be necessary to enable SNMP Before Rules (which is enabled by default) then the setting can be found in System > Device > Remote Management > Advanced Settings.

2.5.2. Persistent SNMP Interface Indexes

For SNMP access, cOS Core maintains an index table which contains a configuration's interfaces (all types of interfaces) and each interface has an index number which indicates its position in the table. SNMP client software, including scripts using SNMP, will use these index numbers to refer to a particular interface.

The Problem is Adding or Subtracting Interfaces

By default, the index table is built every time cOS Core restarts but this can mean that a given interface could get a new index number because new interfaces are added to or subtracted from the configuration. This can pose a problem to SNMP client software which is expecting an interface to have the same index number.

The Solution is Enabling Persistence

To make sure that an interface always has the same index number following a restart, the administrator should enable the SNMP Persist Interface Index setting. This is a global setting which is enabled for the entire configuration.

Enabling Persistent Interfaces in an HA Cluster

In an HA cluster, the interface index table is built in the same way and the table is mirrored between the cluster nodes. However, if interface persistence is enabled, it will only function correctly if the HA setting Synchronize Configuration is enabled on both master and slave. This can be found in the Web Interface by going to System > Device > High Availability and is enabled by default.

In InControl, the cluster property Cluster nodes synchronize automatically should be enabled (it is also enabled by default).

Adding Back a Subtracted Physical Interface

If a physical interface is removed from hardware (this could happen with expansion modules) then the interface will still exist in the index table since it has probably not been removed from the configuration. It is only when an interface is completely removed from a configuration that its entry in the index table disappears.

This means that if the physical interface is later added back to the hardware, it will continue to have the same index number. This is true even though the interface added may be a different physical unit.

Compacting the Index Table

When interface persistence is enabled, it works by having every interface keep the same position in the index table. This can mean that gaps appear in the table (and consequently the interface index numbering) as interfaces disappear. The administrator can, if they wish, defragment the table manually during a scheduled maintenance period using the following CLI command: 
Device:/>  ifstat -snmpnewindexes
This must be followed by an Activate and Commit in order for the table to be defragmented.

There is no other reason to perform defragmentation other than to return the index numbering to a sequential list of numbers. Extra resources are not consumed because of fragmentation.

[Caution] Caution: Restoring a backup will renumber interface indexes

If a restore of a system backup is performed (either a full system restore or cOS Core configuration only), this will cause the interface index numbers to return to the values of the backup.

Example 2.36. Enabling SNMP Index Persistence

This example shows how to enable SNMP index persistence.

Command-Line Interface

Device:/> set Settings RemoteMgmtSettings SNMPPersistentIfIndex=Yes

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

  1. Go to: System > Device > Remote Management
  2. Select Advanced Settings
  3. Under SNMP, enable the option Persistent Interface Index
  4. Click OK

2.5.3. SNMP Advanced Settings

The following SNMP advanced settings can be found under the Remote Management section in the Web Interface or InControl. They can also be set through the CLI.

SNMP Before RulesLimit

Enable SNMP traffic to the firewall without checking the IP rule set.

Default: Enabled

SNMP Request Limit

Maximum number of SNMP requests that will be processed each second by cOS Core. Should SNMP requests exceed this rate then the excess requests will be ignored by cOS Core.

Default: 100

System Contact

The contact person for the managed node.

Default: N/A

System Name

The name for the managed node.

Default: N/A

System Location

The physical location of the node.

Default: N/A

Interface Description (SNMP)

What to display in the SNMP MIB-II ifDescr variables.

Default: Name

Interface Alias

What to display in the SNMP ifMIB ifAlias variables.

Default: Hardware

Persistent Interface Index

A global setting that determines if interface index persistence is enabled.

Default: No

Home  Prev   Next