20.5. SNMP Traps

Home Prev	cOS Stream 4.00.03 Administration Guide	Next

The SNMP protocol

Simple Network Management Protocol (SNMP) is a means for communicating between a Network Management System (NMS) and a managed device. SNMP defines 3 types of messages: a Read command for an NMS to examine a managed device, a Write command to alter the state of a managed device and a Trap which is used by managed devices to send messages asynchronously to an NMS about a change of state. This section discusses how to set up SNMP trap message generation in cOS Stream, using both the SNMP2c and SNMPv3 trap standards.

	Note: SNMP Trap standards used by cOS Stream
	cOS Stream sends SNMP2c traps which are based on the SNMPv2c standard defined by RFC1901, RFC1905 and RFC1906. The SNMPv3 traps sent by cOS Stream conform to RFC 3413, RFC 3414 and RFC 3415.

The SNMP Trap MIB File

The file CLAVISTER-STREAM-TRAPS.mib is included with the system software. This defines the available objects and data types that are used to describe an SNMP Trap message received from cOS Stream.

The file can be downloaded directly from cOS Stream using SCP. For example, a typical command line to download all .mib files via the admin user could be the following:

> scp admin@192.168.1.17:/*.mib .

The SCP client should then prompt for the password.

Types of Trap Receiver

The SNMP traps generated by cOS Stream can be sent to receivers defined by two types of configuration objects:

Log receiver objects.
Trap receiver objects.

A configuration object can be created for either of these types for both SNMP2c and SNMPv3 and these are listed below. The only difference between the SNMP2c object and its SNMPv3 counterpart is the addition of the option to provide authentication and/or encryption with SNMPv3 receivers.

SNMP Trap Receiver Objects Types

The following types of SNMP trap receiver objects can be configured in cOS Stream:

LogReceiverSNMP2c

A LogReceiverSNMP2c object processes any log events it is configured to receive and will send those events using a Generic OID that is the same for all events. The LogSeverity property determines which severities are sent and it defaults to Emergency, Alert, Critical, Error, Warning, Notice, Information.

A LogReceiverSNMP2c object can optionally have one or more LogReceiverMessageException objects added as children. Each exception has an Action property which can be set to Exclude or Include for a filtering combination of log category, severity and ID.
TrapReceiverSNMP2c

A TrapReceiverSNMP2c object uses unique OIDs and can only send certain Standard and Enterprise events. The TrapCategory property determines which types of traps are sent and it defaults to STARTUP,LINK,SNMP.

A TrapReceiverSNMP2c object can optionally have one or more TrapException objects added as children. Each TrapException object has an Action property which can be set to Exclude or Include for specific log IDs.
LogReceiverSNMP3

This is similar to the LogReceiverSNMP2c object but with the addition of optional authentication/encryption. One or more optional child LogReceiverMessageException objects can be added to a parent LogReceiverSNMP3 object and these function in the same way as described previously for a LogReceiverSNMP2c object.
TrapReceiverSNMP3

This is similar to the TrapReceiverSNMP2c object but with the addition of optional authentication/encryption. One or more optional child TrapException objects can be added to a parent TrapReceiverSNMP3 object and these function in the same way as described previously for a LogReceiverSNMP2c object.

Note that the IP address of any of the above types of receiver can be specified as either an IPv4 or IPv6 address.

Exception Processing Logic

There is a logical OR relationship between any receiver parent object and its child exception objects. This mean that exceptions can override filtering so that even if the parent object includes/excludes an event, a child exception could still exclude/include it.

SNMPv3 Security and Encryption

In contrast to SNMP2c receiver objects, the LogReceiverSNMP3 and TrapReceiverSNMP3 objects can optionally provide encryption and/or authentication by setting their SecurityLevel property to one of the following values:

NoAuthNoPriv - No authentication and no encryption.
AuthNoPriv - Authentication but no encryption.
AuthPriv - Authentication and AES encryption.

If authentication is enabled, the AuthenticationMethod property can be used to set the method. This defaults to HMAC-SHA1-96 but can be set to the alternative value of HMAC-MD5-96.

The credentials required for authentication are specified by the object properties UserName, AuthenticationPassword and PrivacyPassword.

If encryption is enabled, cOS Stream will use only AES encryption. DES encryption (as specified in the SNMPv3 RFC) is not supported as this is now considered to be insecure.

Event Types Sent to Receivers

The types of events that cOS Stream can send to SNMP receivers are the following:

Generic

These are events which use the generic OID. Such events will be sent to the server defined by any configured LogReceiverSNMP2c or LogReceiverSNMP3 object, if allowed by the object's filtering properties.
Standard

These are standard system events, such as coldStart, which have a unique OID. This OID does not contain the Clavister vendor ID. Such events will be sent to the server defined by any configured TrapReceiverSNMP2c or TrapReceiverSNMP3 object, if allowed by the object's filtering properties.
Enterprise

These are firewall specific system events, such as HA related events, which have a unique OID and this OID contains the Clavister vendor ID. Such events will be sent to any TrapReceiverSNMP2c or TrapReceiverSNMP3 configured, if allowed by the object's filtering properties.

The Log Event and Trap Reference Guides

Standard events and Specific Enterprise events are listed in the Clavister NetShield Firewall Log Reference Guide as well as the separate Clavister NetShield Firewall Trap Event Reference Guide. Such double listed events will include the following extra information in the Log Reference Guide: SNMP Trap Category, SNMP Trap MIB Name and SNMP MIB OID.

Any event listed in the Log Reference Guide or Trap Event Reference Guide can become a generic enterprise trap event by using the appropriate filtering with a configured LogReceiverSNMP2c LogReceiverSNMP3 object.

All events have a unique LogID identifier which can be found in either of the two reference guides and this can be used with filtering.

The Generic Trap Object

Generic Enterprise events use a common trap object called OSGenericTrap. This generic object includes the following properties:

System - cOS Stream generating the message.
Severity - The severity of the message.
Category - What subsystem is generating the message.
ID - A unique identifier for the message.
Description - A short textual description of the condition.
Action - What action is being taken by cOS Stream, if any.
Parameters - A formatted string with all parameters from the corresponding log message.

The SNMP Reboot Counter

cOS Stream has an SNMP reboot counter which will normally increment following a system restart. With SNMPv3, this counter acts as a way to prevent replay attacks and also as a seed value for message encryption. The counter has a maximum value of 2,147,483,647 and will start at the value 1 after cOS Stream starts for the first time.

Normally, the SNMP reboot counter should never reach its maximum value. However, the following should be noted about the counter's behavior:

The reboot counter is reset to zero when a firewall is reset to its factory defaults.
The reboot counter is not saved as part of a system backup.
If, for some reason, cOS Stream is unable to read the file containing the reboot counter then it will set the counter to its maximum value.
When the reboot counter reaches its maximum value, a warning message is generated by cOS Stream and the counter will remain at that value if no further action is taken by the administrator. While the counter stays at its maximum, cOS Stream will not send any authenticated SNMPv3 responses or authenticated SNMPv3 trap messages. If authentication is not enabled then message sending will not be affected.

Note that SNMPv3 polling will also cease to work when the reboot counter reaches its maximum if it is also using authentication.
The reboot counter will be reset to zero if the SNMPv3 engine ID is changed by the administrator and how to do this is described later in this section.

Changing the SNMPv3 Engine ID

The global configuration setting SNMPv3EngineID determines the value for the current SNMPv3 engine ID. This property is set to Auto by default which means that the engine ID is an auto-generated value based on the MAC address of the first Ethernet interface in the firewall's configuration.

Alternatively, the SNMPv3EngineID property can be set to a specific new ID value, in which case the reboot counter will also be reset when the change is made.

The ID is specified as a string of up to 27 characters in length, with no white space included. For example:

System:/> set Settings RemoteMgmtSettings SNMPv3EngineID="MyFirewall"

Note: NetShield changes Engine ID

	Note: NetShield changes Engine ID
NetShield will reformat the Engine ID string to a hexadecimal value. To see the exact value, the following CLI command can be used: `System:/>` statistics -engineID

NetShield will reformat the Engine ID string to a hexadecimal value. To see the exact value, the following CLI command can be used:

System:/> statistics -engineID

SNMP Trap Setup Examples

The examples below show how setup can be performed for all the SNMP trap receiver types.

Example 20.4. Setting Up a LogReceiverSNMP2c Object

In this example, generic enterprise and specific enterprise SNMP traps are to be sent for events with a severity equal to Emergency to an SNMPv2 server with the IP address 203.0.113.5.

Command-Line Interface

System:/> add LogReceiver LogReceiverSNMP2c my_receiver
			IPAddress=203.0.113.5
			LogSeverity=Emergency

Example 20.5. Setting Up a TrapReceiverSNMP2c Object

In this example, standard and/or specific enterprise SNMP traps are to be sent for events with a category value of STARTUP. These are to be sent to a trap server with the IP address 203.0.113.7.

Command-Line Interface

System:/> add LogReceiver TrapReceiverSNMP2c my_traps
			IPAddress=203.0.113.7
			TrapCategory=STARTUP

Example 20.6. Setting Up a LogReceiverSNMP3 Object

In this example, generic enterprise and specific enterprise SNMP traps with a severity equal to Emergency are to be sent to an SNMPv3 server with the IP address 203.0.113.5.

An exception will be added so that any log message with the ID 275 will always be sent to the receiver.

Both SHA-1 authentication and AES encryption will be enabled so the SecurityLevel property is set to AuthPriv.

Command-Line Interface

Add the log receiver:

System:/> add LogReceiver LogReceiverSNMP3 my_v3_receiver
			IPAddress=203.0.113.5
			LogSeverity=Emergency
			SecurityLevel=AuthPriv
			UserName=my-username
			PrivacyPassword=my-privacy-password
			AuthenticationPassword=my-auth-password

Add the exception to the receiver:

System:/> cc LogReceiver LogReceiverSNMP3 my_v3_receiver
System:/LogReceiver/my_v3_receiver> add LogReceiverMessageException
			LogID=275
			Action=Include

Example 20.7. Setting Up a TrapReceiverSNMP3 Object

In this example, standard and/or specific enterprise SNMP traps with a category value of STARTUP are to be sent to an SNMPv3 server with the IP address 203.0.113.7.

An exception will be added so that any log message with the ID 275 will always be sent to the receiver.

Both SHA-1 authentication and AES encryption will be enabled so the SecurityLevel property is set to AuthPriv.

Command-Line Interface

Add the trap receiver:

System:/> add LogReceiver TrapReceiverSNMP3 my_v3_traps
			IPAddress=203.0.113.7
			TrapCategory=STARTUP
			SecurityLevel=AuthPriv
			UserName=my-username
			PrivacyPassword=my-privacy-password
			AuthenticationPassword=my-auth-password

Add the exception to the receiver:

System:/> cc LogReceiver TrapReceiverSNMP3 my_v3_traps
System:/LogReceiver/my_v3_traps> add TrapException
			LogID=275
			Action=Include