topic Re: snmp on fpr 1150 in Network Security

snmp on fpr 1150

kostasthedelegate — Thu, 27 May 2021 04:55:37 GMT

Hello,

I have an FPR 1150 with FTD 6.6.1 managed locally(FDM)

Does it support SNMP configuration?

Is there a guide?

Thanks and regards,

Konstantinos

Re: snmp on fpr 1150

Marvin Rhoads — Thu, 27 May 2021 05:02:45 GMT

Only via Flexconfig. There's an example buried in this page:

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/fdm/fptd-fdm-config-guide-660/fptd-fdm-advanced.html

They removed that in 6.7 and restricted it to via API - even uglier.

Generally speaking, FDM and SNMP don't play well together (easily) on 6.x. You can do it but it's likely to leave you frustrated by the very rudimentary support.

Re: snmp on fpr 1150

kostasthedelegate — Thu, 27 May 2021 05:28:31 GMT

Thank you @Marvin Rhoads

I deployed it and we see if it goes well!!

Re: snmp on fpr 1150

Marvin Rhoads — Thu, 27 May 2021 06:09:54 GMT

You're welcome.

By the way, the "SNMP config via API-only" constraint remains with FDM-managed FTD 7.0 devices.

Re: snmp on fpr 1150

kostasthedelegate — Fri, 28 May 2021 05:23:26 GMT

Well I created a Flex object and entered the required config but it did not work

This is the policy

Re: snmp on fpr 1150

Marvin Rhoads — Fri, 28 May 2021 13:53:34 GMT

"it did not work" - how? Did the flexconfig deploy successfully into running-config? If so, are you unable to poll the appliance?

Re: snmp on fpr 1150

kostasthedelegate — Mon, 31 May 2021 05:08:00 GMT

Yes it deployed successfully

I cannot see only the last command

Re: snmp on fpr 1150

Marvin Rhoads — Mon, 31 May 2021 08:29:10 GMT

So when you poll the device, does it accept the queries from your SNMP manager? Do you not get what you expected? Please provide more information about what doesn't work.

Re: snmp on fpr 1150

kostasthedelegate — Mon, 31 May 2021 09:27:05 GMT

The FW is the server and the client I get timeout on the management interface of the FW from the SNMP

and when I tried the inside interface I get no response

Will it work on the management interface??

Re: snmp on fpr 1150

Marvin Rhoads — Mon, 31 May 2021 09:42:49 GMT

SNMP will not work to the management interface since you have "snmp-server host inside"... The inside keyword means that is where the SNMP server is allowed to poll. I would suggest a packet capture on your SNMP manager (client) to see what (if anything) the FTD is replying when you query it. I have deployed several using similar commands and they all worked OK.

Re: snmp on fpr 1150

kostasthedelegate — Tue, 01 Jun 2021 09:38:46 GMT

Yes you are right
I have the inside interface

Today I used the MIB from Cisco but I get the following

iso.3.6.1.2.1 = No more variables left in this MIB View (It is past the end of the MIB tree)

Re: snmp on fpr 1150

Marvin Rhoads — Tue, 01 Jun 2021 10:22:04 GMT

Hmm.What are you using to query?

I just tried (using snmpwalk from the cli of a Prime Infrastructure server) on one of my FTD devices with FTD enabled and got the following:

ade # snmpwalk -v2c -c <community string redacted> <address redacted> 1.3.6.1.2.1.1
SNMPv2-MIB::sysDescr.0 = STRING: Cisco Firepower Threat Defense, Version 6.7.0.2 (Build 24), ASA Version 9.15(1)15
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.2407
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (143251900) 16 days, 13:55:19.00
SNMPv2-MIB::sysContact.0 = STRING: null
SNMPv2-MIB::sysName.0 = STRING:<hostname redacted>
SNMPv2-MIB::sysLocation.0 = STRING: null
SNMPv2-MIB::sysServices.0 = INTEGER: 4
ade #

If I back up a level like you used I get a whole long list as output (interface info, counters etc.).

Re: snmp on fpr 1150

kostasthedelegate — Tue, 01 Jun 2021 10:35:22 GMT

Hello,

I am using these

snmpwalk -M /usr/local/share/snmp/mibs/cisco/ -v1 -c <community string redacted> <address redacted>

snmpwalk -M /usr/local/share/snmp/mibs/cisco/ -v2c -c <community string redacted> <address redacted>

Re: snmp on fpr 1150

Marvin Rhoads — Tue, 01 Jun 2021 18:07:37 GMT

Only the basic SNMPv2, SNMPv2-SMI and IF MIBs are supported via the dataplane queries. Those generally suffice to ascertain device status and interface statistics.

To access Cisco-specific MIBs you need to configure and use the Diagnostic interface which allows you to query the LINA (ASA) subsystem using SNMP.

Re: snmp on fpr 1150

kostasthedelegate — Wed, 02 Jun 2021 06:11:48 GMT

Hello @Marvin Rhoads

Now I am confused actually.

So you say the query I run is complex?

That is why I get timeout?

I saw that management interface won't reply, isn't that correct?

What should I run?

Regards,

Konstantinos

Re: snmp on fpr 1150

Marvin Rhoads — Wed, 02 Jun 2021 07:48:17 GMT

Sorry I dd not mean that it is complex - it is just not supported to query the Cisco-specific MIBs via dataplane interface.

You would need to give an address to the Diagnostic interface from within FDM. Then update your flexconfig to indicate that the SNMP client is allowed to acess using the Diagnostic interface. Once you have done that, you can query using the Cisco MIBs. The FTD device in that case will look pretty much like an ASA since the LINA subsystem will be handling all of that interaction.

Re: snmp on fpr 1150

kostasthedelegate — Wed, 02 Jun 2021 10:52:28 GMT

Ok the management address I have now to which interface is assigned to?

Could I use the same?

Re: snmp on fpr 1150

Marvin Rhoads — Wed, 02 Jun 2021 16:02:19 GMT

You need to use the Diagnostic interface. Here is more detail:

The physical port labeled Management (or for Firepower Threat Defense Virtual, the Management 0/0 virtual interface) actually has two separate interfaces associated with it.

Management virtual interface—This IP address is used for system communication. This is the address the system uses for Smart Licensing and to retrieve database updates. You can open management sessions to it (Firepower Device Manager and CLI). You must configure a management address, which is defined on when you first setup the system (or later from the cli using "configure network").
Diagnostic physical interface—The physical Management port is actually named Diagnostic. You can use this interface to send syslog messages to an external syslog server, send Netflow records or query the LINA subsystem using SNMP. Configuring an IP address for the Diagnostic physical interface is optional. This interface appears, and is configurable using Firepower Device Manager, under edit physical interface page under Management 1/1.

Re: snmp on fpr 1150

kostasthedelegate — Mon, 07 Jun 2021 09:34:19 GMT

I am trying this query

snmpwalk -v2c -c <communitystring> <address inside> 1.3.6.1.2.1.1

And I get this

iso.3.6.1.2.1.1 = No more variables left in this MIB View (It is past the end of the MIB tree)

Also when I give the command

show snmp-server statistics
Unable to honour this command now. Please try again later.

I get the above

Should I enable the snmp from flexconfig only or should I perform some setting somewhere else?

How do I set the version?

Re: snmp on fpr 1150

Marvin Rhoads — Mon, 07 Jun 2021 10:26:34 GMT

As i noted in my previous reply, "You need to use the Diagnostic interface."

So the flexconfig that you posted earlier should work (assuming you first configure an address for the diagnostic interface) if you substitute "Diagnostic" for "inside".