snmp-server
Provide firewall event information via SNMP. (Configuration mode.)
snmp-server community key
snmp-server contact text
snmp-server location text
snmp-server host [if_name] ip_addr [trap | poll]
snmp-server enable traps
clear snmp-server command
no snmp-server command
show snmp-server
Syntax Description
community key Enter the password key value in use at the SNMP management station. The SNMP community string is a shared secret among the SNMP management station and the network nodes being managed. firewall uses the key to determine if the incoming SNMP request is valid. For example, you could designate a site with a community string and then configure the routers, firewall, and the management station with this same string. The firewall then honors SNMP requests using this string and does not respond to requests with an invalid community string. The key is a case-sensitive value up to 32 characters in length. Spaces are not permitted. The default, if this option is not used, is public.
contact text Supply the name or that of the firewall system administrator. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space. location text Specify the firewall location. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space. snmp-server host Specify an IP address of the SNMP management station to which traps should be sent and/or from which the SNMP requests come. You can specify up to 32 SNMP management stations. if_name The interface name where the SNMP management station resides. ip_addr The IP address of a host to which SNMP traps should be sent and/or from which the SNMP requests come. trap | poll Specify whether traps, polls, or both are acted upon. Use with these parameters:
trap Only traps will be sent. This host will not be allowed to poll. poll Traps will not be sent. This host will be allowed to poll. The default allows both traps and polls to be acted upon.
host Specify an IP address of the SNMP management station to which traps should be sent and/or from which the SNMP requests come. You can specify up to five SNMP management stations. Use with these parameters:
if_name The interface name where the SNMP management station resides. ip_addr The IP address of a host to which SNMP traps should be sent and/or from which the SNMP requests come. enable traps Enable or disable sending SNMP trap notifications via syslog.
Usage Guidelines
Use the snmp-server command to identify site, management station, community string, and user information.In understanding SNMP use, the firewall is considered the SNMP agent or SNMP server. The management station is the system running the SNMP program that receives and processes the SNMP information that the firewall sends.
An SNMP object ID (OID) for firewall displays in SNMP event traps sent from the firewall. OID 1.3.6.1.4.1.9.1.227 was assigned as the firewall system object ID.
The clear snmp-server and no snmp-server commands removes command statements. The show snmp-server command displays the information.
Use the trap and poll command options to configure hosts to participate only in specific SNMP activities. Poll responses and traps are sent only to the configured entities. Hosts configured with the trap command option will have traps sent to them, but will not be allowed to poll. Hosts configured with the poll command option will be allowed to poll, but will not have traps sent to them.
Accessibility to the firewall MIBs is based on configuration, MIB support, and authentication based on the community string. Unsuccessful polling attempts, except for failed community string authentication, are not logged or otherwise indicated. Community authentication failures result in a trap where applicable.
MIB Support
You can browse the System and Interface groups of MIB-II. All SNMP values in the firewall are read only (RO). The firewall does not support browsing of the syslog MIB.
Browsing a MIB is different from sending traps. Browsing means doing an snmpget or snmpwalk of the MIB tree from the management station to determine values. Traps are different; they are unsolicited "comments" from the managed device to the management station for certain events, such as link up, link down, syslog event generated, and so on.
Firewall MIB and Memory Pool MIB are now available. These MIBs provide the following firewall information via SNMP:
- Buffer usage from the show block command
- Connection count from the show conn command
- Failover status
- Memory usage from the show_memory command
Receiving SNMP Requests from an SNMP Management Station
To receive SNMP requests from a management station:
- Identify the management station with an snmp-server host command statement.
- Specify snmp-server command options for the location, contact, and community.
- Start the SNMP software on the management station and begin issuing SNMP requests to the firewall.
Defaults
If you do not specify either option, the snmp-server host command behaves as in previous versions. The polling is permitted from all configured hosts on the affected interface. Traps are sent to all configured hosts on the affected interface.
Examples
The following example shows commands you would enter to start receiving SNMP requests from a management station:snmp-server community wallawallabingbang snmp-server location Building 42, Sector 54 snmp-server contact Sherlock Holmes snmp-server host perimeter 10.1.2.42The next example is sample output from the show snmp-server command:
show snmp snmp-server host perimeter 10.1.2.42 snmp-server location Building 42, Sector 54 snmp-server contact Sherlock Holmes snmp-server community wallawallabingbang