Solved: Re: Enable SNMP v2 on FTD 1010 using FDM

Travis-Fleming · ‎10-31-2019

Hello,

We use SNMP v2 through solarwinds for remotely monitoring our devices. We have a Cisco FTD 1010 we are deploying to a site using FDM. I understand you can use flexconfig to enable this, but I'm having some troubles. I verified I have access rules to allow our solarwinds access to the diagnostic port of the 1010 device. I can ping the diagnostic port from our solarwinds server. I have the below FlexConfig Policy in place. The LAN interface of our network is inside_2, we aren't using an out of the box bridge interface for our deployment. Ideas? The 1010 deploys the config with no error, and if I do a show running-config on the device I see it's there.

I tried also doing a system support trace, and nothing ever flags when I put the source IP of our solarwinds server either.

snmp-server enable
snmp-server host inside_2 172.16.1.166
snmp-server community XXXXX
snmp-server enable traps all

Travis-Fleming · ‎10-31-2019

In case someone else finds this thread I found the answer! IN FlexConfig did the below setup and applied to a group flexconfix.

snmp-server enable
snmp-server host diagnostic 172.16.1.166 poll community XXXX version 2c
snmp-server location XXXX
snmp-server contact ATS HelpDesk
snmp-server community XXXX

View solution in original post

Travis-Fleming · ‎10-31-2019

I was able to copy from another FTD we have managed by our FMC but still does not work. Getting closer I think, but not quite there..

snmp-server host diagnostic 172.16.1.166 poll community ***** version 2c
snmp-server community *****

Travis-Fleming · ‎10-31-2019

In case someone else finds this thread I found the answer! IN FlexConfig did the below setup and applied to a group flexconfix.

snmp-server enable
snmp-server host diagnostic 172.16.1.166 poll community XXXX version 2c
snmp-server location XXXX
snmp-server contact ATS HelpDesk
snmp-server community XXXX

IvanAlvarenga25979 · ‎02-10-2021

Hi Travis,

it didn't work for me. I'm getting this message

The template is not valid. Please hover over the icons for detailed error information

Thanks,
Ivan

Travis-Fleming · ‎02-12-2021

Can you copy and paste what your config looks like? I've deployed a good 10 FTD 1010's successfully with this config.

IvanAlvarenga25979 · ‎02-12-2021

I'm using the 6.7 version.

I spoke to Cisco and they said that I need to do it using rest API.

Which version are you using?

Marvin Rhoads · ‎02-12-2021

Correct - FDM 6.7 has blacklisted the Flexconfig commands necessary for this. Hooray automation.

To use the REST API, some folks from Cisco have recently created a python script that I found to work well.

Please refer to it here:

https://community.cisco.com/t5/security-documents/firepower-device-manager-fdm-6-7-snmp-using-python-script/ta-p/4283247

Travis-Fleming · ‎02-12-2021

You beat me to the punch Marvin, I was just about to post that, although without the "hooray automation" piece haha.

Here is my two cents from Cisco documentation. I'm right on the edge with 6.6, so from the sounds of it, if\when I upgrade I'll need to learn some API with python finally.

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/m_features_functionality.html

"You can use the FTD API to configure SNMP version 2c or 3 on an FDM or CDO managed FTD device.

We added the following API resources: SNMPAuthentication, SNMPHost, SNMPSecurityConfiguration, SNMPServer, SNMPUser, SNMPUserGroup, SNMPv2cSecurityConfiguration, SNMPv3SecurityConfiguration."

" NOTE: If you used FlexConfig to configure SNMP, you must redo your configuration using the FTD API SNMP resources. The commands for configuring SNMP are no longer allowed in FlexConfig. Simply removing the SNMP FlexConfig object from the FlexConfig policy will allow you to deploy changes; you can then use the object as reference while you use the API to reconfigure the feature."