How to configure SNMPV3 on a Palo Alto Networks Firewall
153061
Created On 05/02/22 10:21 AM - Last Modified 03/24/25 23:43 PM
Objective
This document explains how to configure SNMPv3 on the Palo Alto Networks firewall. Begin by configuring the SNMP trap server profile and to setup up SNMP
Environment
- Palo Alto Firewall or Panorama
- PAN-OS 9.1 and above
Procedure
SNMP Setup
- Go to Device > Setup > Operations > SNMP Setup.
- When the SNMP setup appears, enter the following criteria:
- Physical: Location Specify the physical location of the firewall.
- Contact: Enter the name or email address of the person responsible for maintaining the firewall.(This setting is reported in the standard system information MIB)
- Use Event-Specific Trap Definitions: Check the box to use a unique OID for each SNMP trap based on the event type.
- Version: Select the SNMP version (V2c or V3). This setting controls access to the MIB information.
For V3, configure the following setting:
In the View section, click Add. Enter name for the group, then configure the following for each view you add to the group
View: Specify a name for the view. The name can have up to 31 characters that are alphanumerical, periods, underscores or hyphens
OID: Specify the OID of the MIB.
Option: Select the matching logic to apply to the MIB
Mask: Specify the mask in hexadecimal format
In the View section, click Add. Enter name for the group, then configure the following for each view you add to the group
View: Specify a name for the view. The name can have up to 31 characters that are alphanumerical, periods, underscores or hyphens
OID: Specify the OID of the MIB.
Option: Select the matching logic to apply to the MIB
Mask: Specify the mask in hexadecimal format
In the User section, click Add. Enter a name for the user, then configure the following fields for each view you add to the group:
User name: Specify a username to identify the SNMP user account. The username you configured on the firewall must match the username configured on the SNMP manager. The username can have up to 31 characters.
View: Assign a group of views to the user.
Authentication password: Type and confirm the authentication password. The password must between 8 and 256 characters long. All the characters are allowed.
Privacy password: Type and confirm privacy password. The password must be 8 and 256 character long. All the characters are allowed.
Authentication protocol: Specify the authentication profile. The firewall uses the secure hash algorithm to encrypt the password.
Privacy protocol: Specify the Privacy Protocol. The firewall uses the password and advanced encryption standard to encrypt SNMP traps and responses to statistics requests.
User name: Specify a username to identify the SNMP user account. The username you configured on the firewall must match the username configured on the SNMP manager. The username can have up to 31 characters.
View: Assign a group of views to the user.
Authentication password: Type and confirm the authentication password. The password must between 8 and 256 characters long. All the characters are allowed.
Privacy password: Type and confirm privacy password. The password must be 8 and 256 character long. All the characters are allowed.
Authentication protocol: Specify the authentication profile. The firewall uses the secure hash algorithm to encrypt the password.
Privacy protocol: Specify the Privacy Protocol. The firewall uses the password and advanced encryption standard to encrypt SNMP traps and responses to statistics requests.
- Enable SNMP service on management interface:
- Go to the Device tab and then Setup
- Click the Management
- Click the Management Interface Settings button
- Check the SNMP box
Note: If using an interface apart from Management, make sure that the Interface Management profile associated with the Interface has SNMP enabled.
- Commit the changes.
- Now one can use "snmpget" or "snmpwalk" to view the responses. One example of snmpget from a linux server is below.
root@linux2:~# snmpget -v 3 -u [username] -l authPriv -a SHA -A [auth password]-x AES -X [priv password] [IP address] .1.3.6.1.2.1.1.1.0 Response: iso.3.6.1.2.1.1.1.0 = STRING: "Palo Alto Networks PA-500 series firewall"
Additional Information
To configure the Palo Alto Firewalls to send the SNMP trap, configure the SNMP trap server profile.
- Go to Device > Server Profiles
- Click the SNMP Trap
- Click the Add button to add a server and choose the version
- For V3, The following fields need to be filled in:
- Name: Specify a name for the SNMP manager (up to 31 characters).
- Manager: Specify the IP address of the trap destination.
- User: Specify a username to identify the SNMP user account (up to 31 characters).
- EngineID: Specify the engine ID of the firewall(used to identify the firewall, or leave blank and the firewall's serial number will be used).
- Authentication Password: Type and confirm the authentication password. The password must be between 8 and 256 characters long. All characters are allowed.
- Privacy Password: Type and confirm privacy password. The password must be between 8 and 256 characters long. All characters are allowed.
- Authentication Protocol: Specify the Authentication protocol. The firewall uses the secure hash algorithm to encrypt the password.
- Privacy Protocol: Specify the Privacy Protocol. The firewall uses the password and Advanced Encryption Standard 128 (AES-128) to encrypt SNMP traps and responses to statistics requests.
Once configured, the SNMP traps are sent to the IP address configured under SNMP manager (In this case 198.162.10.1)