This document demonstrates how to configure the Palo Alto Networks Firewall to send SNMPv3 Traps. The SNMPv3 trap receiver used in this exampe is 'snmptrapd' running on Ubuntu.
Steps
In the following example, the firewall has IP: 172.17.128.23 and the SNMPv3 Trap receiver has IP: 172.17.128.17.
To setup SNMPv3 polling. Go to Device > Setup > Operation > SNMP Setup, then click "v3".
All passwords set to 'paloalto'.
The polling setup does not need the engineID.
However, polling configuration is necessary to retrieve the engineID from the device which is used in the SNMPv3 Trap Server profile under Device > Server Profiles > SNMP Trap.
Once the device starts responding to SNMPv3 GETs/Walks, an SNMPv3 GET needs to be issued against the device for the OID 1.3.6.1.6.3.10.2.1.1.0. This GET should respond with the engineID (in HEX).
Issue an SNMPv3 GET against the OID 1.3.6.1.6.3.10.2.1.1.0 to retrieve the engineID
$ snmpget -v 3 -u test -l authPriv -a SHA -A paloalto -x AES -X paloalto 172.17.128.23 1.3.6.1.6.3.10.2.1.1.0
The engine ID retrieved above is : 0x80001f8804303030303034393532363037 (Hex)
Once the backend SNMPv3 Trap receiver is configured, complete the SNMPv3 Server profile setup. Configure the SNMPv3 Trap Server profile under Device > Server Profiles > SNMP Trap:
All passwords set to 'paloalto'.
The engineID retrieved in Step #2 is required to configure the SNMP Trap Server profile.
4. Assign the SNMP Trap profile created in Step #3 to the relevant logs needed to be forwarded as Traps. For example, configure System log to be sent out as Traps. To do so, navigate to Device > Log Settings > System:
5. To Verify
For verification, the SNMPv3 Trap receiver used is snmptrapd running on a linux system.
The user 'traptest' used in Step #4 needs to be created in the trap receiver configuration file: