How to Configure Sending SNMPv3 Traps

How to Configure Sending SNMPv3 Traps

24050
Created On 09/25/18 17:30 PM - Last Updated 02/07/19 23:54 PM
Resolution

Overview:

This document demonstrates how to configure the Palo Alto Networks Firewall to send SNMPv3 Traps. The SNMPv3 trap receiver used in this exampe is 'snmptrapd' running on Ubuntu.

 

Steps

In the following example, the firewall has IP: 172.17.128.23 and the SNMPv3 Trap receiver has IP: 172.17.128.17.

  1. To setup SNMPv3 polling.  Go to Device > Setup > Operation > SNMP Setup, then click "v3".

    v3_trap_poll.PNG

    • All passwords set to 'paloalto'.
    • The polling setup does not need the engineID.
    • However, polling configuration is necessary to retrieve the engineID from the device which is used in the SNMPv3 Trap Server profile under Device > Server Profiles > SNMP Trap.
  2. Once the device starts responding to SNMPv3 GETs/Walks, an SNMPv3 GET needs to be issued against the device for the OID 1.3.6.1.6.3.10.2.1.1.0.  This GET should respond with the engineID (in HEX).
    • Issue an SNMPv3 GET against the OID 1.3.6.1.6.3.10.2.1.1.0 to retrieve the engineID

      $ snmpget -v 3 -u test -l authPriv -a SHA -A paloalto -x AES -X paloalto 172.17.128.23 1.3.6.1.6.3.10.2.1.1.0

      iso.3.6.1.6.3.10.2.1.1.0 = Hex-STRING: 80 00 1F 88 04 30 30 30 30 30 34 39 35 32 36 30 37

    • The engine ID retrieved above is : 0x80001f8804303030303034393532363037 (Hex)
  3. Once the backend SNMPv3 Trap receiver is configured, complete the SNMPv3 Server profile setup. Configure the SNMPv3 Trap Server profile under Device > Server Profiles > SNMP Trap:
    • All passwords set to 'paloalto'.
    • The engineID retrieved in Step #2 is required to configure the SNMP Trap Server profile.

         v3trap_profile.PNG

 

4. Assign the SNMP Trap profile created in Step #3 to the relevant logs needed to be forwarded as Traps. For example, configure System log to be sent out as Traps. To do so, navigate to Device > Log Settings > System:

     log_settings.PNG

 

5. To Verify

    • For verification, the SNMPv3 Trap receiver used is snmptrapd running on a linux system.
    • The user 'traptest' used in Step #4 needs to be created in the trap receiver configuration file:

      ~$ cat /tmp/snmptrapd.conf

      createUser -e 0x80001f8804303030303034393532363037 traptest SHA paloalto AES paloalto

      authuser log traptest

    • Now, snmptrapd is started using the configuration file created above:

      ~$ sudo snmptrapd -f -C -c /tmp/snmptrapd.conf -Le

    • A system log is generated as follows:

      v3_trap.PNG

    • Its corresponding SNMPv3 trap recorded on the Linux machine as follows:

      2013-01-29 06:49:45 172.17.128.23 [UDP: [172.17.128.23]:34722->[172.17.128.17]]:

      iso.3.6.1.2.1.1.3.0 = Timeticks: (33979763) 3 days, 22:23:17.63 iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.4.1.25461.2.1.3.2.0.600        iso.3.6.1.4.1.25461.2.1.3.1.2 = STRING: "2013/01/29 06:49:46"   iso.3.6.1.4.1.25461.2.1.3.1.3 = STRING: "0009C101956"        iso.3.6.1.4.1.25461.2.1.3.1.4 = STRING: "SYSTEM"        iso.3.6.1.4.1.25461.2.1.3.1.5 = STRING: "general"       iso.3.6.1.4.1.25461.2.1.3.1.7 = ""      iso.3.6.1.4.1.25461.2.1.3.1.8 = STRING: "40867" iso.3.6.1.4.1.25461.2.1.3.1.9 = STRING: "0x0"        iso.3.6.1.4.1.25461.2.1.3.1.300 = STRING: "general"     iso.3.6.1.4.1.25461.2.1.3.1.301 = ""    iso.3.6.1.4.1.25461.2.1.3.1.302 = STRING: "general"     iso.3.6.1.4.1.25461.2.1.3.1.303 = STRING: "informational"    iso.3.6.1.4.1.25461.2.1.3.1.304 = STRING: "User admin accessed Monitor tab"

 

owner: achitwadgi



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG6CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language