Re: snmp on fpr 1150 - Page 2

kostasthedelegate · ‎05-26-2021

Hello,

I have an FPR 1150 with FTD 6.6.1 managed locally(FDM)

Does it support SNMP configuration?

Is there a guide?

Thanks and regards,

Konstantinos

Marvin Rhoads · ‎06-02-2021

Sorry I dd not mean that it is complex - it is just not supported to query the Cisco-specific MIBs via dataplane interface.

You would need to give an address to the Diagnostic interface from within FDM. Then update your flexconfig to indicate that the SNMP client is allowed to acess using the Diagnostic interface. Once you have done that, you can query using the Cisco MIBs. The FTD device in that case will look pretty much like an ASA since the LINA subsystem will be handling all of that interaction.

kostasthedelegate · ‎06-02-2021

Ok the management address I have now to which interface is assigned to?

Could I use the same?

Marvin Rhoads · ‎06-02-2021

You need to use the Diagnostic interface. Here is more detail:

The physical port labeled Management (or for Firepower Threat Defense Virtual, the Management 0/0 virtual interface) actually has two separate interfaces associated with it.

Management virtual interface—This IP address is used for system communication. This is the address the system uses for Smart Licensing and to retrieve database updates. You can open management sessions to it (Firepower Device Manager and CLI). You must configure a management address, which is defined on when you first setup the system (or later from the cli using "configure network").
Diagnostic physical interface—The physical Management port is actually named Diagnostic. You can use this interface to send syslog messages to an external syslog server, send Netflow records or query the LINA subsystem using SNMP. Configuring an IP address for the Diagnostic physical interface is optional. This interface appears, and is configurable using Firepower Device Manager, under edit physical interface page under Management 1/1.

bd-fisher · ‎06-07-2022

Hi Marvin,

Am I able to edit the diagnostic interface (add the correct IP) while up and in production?

(don't want to interrupt anything).

Regards,

Brian

Marvin Rhoads · ‎06-07-2022

@bd-fisher editing the diagnostic interface will not affect any traffic flow.

kostasthedelegate · ‎06-07-2021

I am trying this query

snmpwalk -v2c -c <communitystring> <address inside> 1.3.6.1.2.1.1

And I get this

iso.3.6.1.2.1.1 = No more variables left in this MIB View (It is past the end of the MIB tree)

Also when I give the command

show snmp-server statistics
Unable to honour this command now. Please try again later.

I get the above

Should I enable the snmp from flexconfig only or should I perform some setting somewhere else?

How do I set the version?

Marvin Rhoads · ‎06-07-2021

As i noted in my previous reply, "You need to use the Diagnostic interface."

So the flexconfig that you posted earlier should work (assuming you first configure an address for the diagnostic interface) if you substitute "Diagnostic" for "inside".

kostasthedelegate · ‎06-07-2021

Ok

I thought you said that inside will work for simple polls but if I need the more complex ones (with the file) I should use the diagnostic interface.

Marvin Rhoads · ‎06-07-2021

Ah OK - yes. Please check the packets coming from your FTD. Validate that is is actually replying to the SNMP query or is the output an artifiact of the tool you are using.

kostasthedelegate · ‎06-07-2021

I see packets back and forth but still I get the same message

iso.3.6.1.2.1 = No more variables left in this MIB View (It is past the end of the MIB tree)

kostasthedelegate · ‎06-09-2021

Hello @Marvin Rhoads

Could you post the configuration for the SNMP in the FTD you mentioned before in order to crosscheck?

Marvin Rhoads · ‎06-09-2021

It's a dead simple snmp configuration. In my case it was added using API vs flexconfig but the outcome is the same:

Cisco Fire Linux OS v6.7.0 (build 62)
Cisco Firepower 2140 Threat Defense v6.7.0.2 (build 24)

>
> show running-config | include snmp
snmp-server group AUTH v3 auth 
snmp-server group PRIV v3 priv 
snmp-server group NOAUTH v3 noauth 
snmp-server host inside ***** community ***** version 2c
snmp-server location null
snmp-server contact null
snmp-server community *****
  inspect snmp 
>

kostasthedelegate · ‎06-09-2021

Thank you Marvin,

I would like to ask about the 3 first commands the

snmp-server group AUTH v3 auth 
snmp-server group PRIV v3 priv 
snmp-server group NOAUTH v3 noauth

Aren't these used for snmpv3?

I will install them to see if it changes sth

Marvin Rhoads · ‎06-10-2021

The configuration lines with "v3" are for SNMPv3 and are there by default on all FTD devices. They have nothing to do with your issue.