Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
25855
Views
20
Helpful
38
Comments

Cisco Secure Firewall Device Manager - SNMP configuration using API

Anupam Pavithran
Cisco Employee
Cisco Employee

‎02-06-2021 04:23 AM - edited ‎11-08-2023 12:03 AM

fdm-new.png

Problem:

SNMP on FDM was introduced in version 6.7. As of now, we only have the option to push via API. The current method is time-consuming, and knowledge of API is needed.

Here is the current guide we have.
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/216551-configure-and-troubleshoot-snmp-on-firep.html

 


Solution

@Dinesh Verma  and I created a script that automates the entire workflow using Python. You only need to enter the details pertaining to SNMPv2/SNMPv3; the script takes care of everything else. The script is available in the following GitHub repository.

https://github.com/anupamx47/FDM-SNMP/tree/main

 

1) Preparation:

1.Download the Script:

  • Go to the script's GitHub page: fdm-snmp.py.
  • Click the "Download Zip" button, under "code" to download the Python script to your computer.

2.Install Python:

  • Make sure you have Python installed on your computer. You can download and install the latest version of Python from the official Python website: Python Downloads. Follow the installation instructions for your operating system.

3.Install Required Dependencies:

  • Open a command prompt or terminal.
  • Navigate to the directory where you downloaded the script.
  • Run the following command to install the necessary dependencies:
    pip3 install -r requirements.txt

4.Execute the Script:

  • Open a command prompt or terminal.
  • Navigate to the directory where you downloaded the script using the cd command.
  • Run the script using Python:
    python3 fdm-snmp.py

****************************************************************************************************

 

2) Create SNMPv2 Host


C:\Users\anpavith\OneDrive\Desktop\scripts\FDM-SNMP> python3 fdm-snmp.py
###########################################################
# CONFIGURE SNMP ON FDM #
###########################################################
Enter the device IP address: 10.106.55.56
Enter the username of the FTD: admin
Enter the password of the FTD:
###########################################################
Auth-Status code is 200
Successfully Authenticated
Would you like to configure (1) SNMPv2 or (2) SNMPv3 : 1
Enter the SNMP Server object name : solar22
Enter the SNMP Server object IP : 22.22.22.22
Enter SNMPv2 community string : cisco123
###########################################################
1 diagnostic Management0/0
2 dmz GigabitEthernet0/2
3 inside GigabitEthernet0/1
4 outside GigabitEthernet0/0
Select the interface (Integer value only) : 4
Enter SNMP host object name : snmp22
###########################################################
Successfully Created, please deploy and check SNMP config
###########################################################

 

 

3) Create SNMPv3 Host along with SNMPv3 user

 

C:\Users\anpavith\OneDrive\Desktop\scripts\FDM-SNMP> python3 .\fdm-snmp.py
###########################################################
# CONFIGURE SNMP ON FDM #
###########################################################
Enter the device IP address: 10.106.55.56
Enter the username of the FTD: admin
Enter the password of the FTD:
###########################################################
Auth-Status code is 200
Successfully Authenticated
Would you like to configure (1) SNMPv2 or (2) SNMPv3 : 2
Enter the SNMP Server object name : solar21
Enter the SNMP Server object IP : 21.21.21.21
Enter SNMPv3 username : cisco21
Enter Security Level => Options ['AUTH', 'NOAUTH', 'PRIV'] : PRIV
Enter authentication Algorithm => Options ['SHA', 'SHA256'] : SHA
Enter authentication password : cisco123
Enter encryption Algorithm => Options ['AES128', 'AES192', 'AES256', '3DES'] : AES128
Enter encryption password : cisco123
###########################################################
1 diagnostic Management0/0
2 dmz GigabitEthernet0/2
3 inside GigabitEthernet0/1
4 outside GigabitEthernet0/0
Select the interface (Integer value only) : 4
Enter SNMP host object name : host21
###########################################################
Successfully Created, please deploy and check SNMP config
###########################################################

 

 

Please use the script and provide us with any feedback.

Preview file
136 KB
Comments
Anupam Pavithran
Cisco Employee
Cisco Employee
‎11-10-2023 06:08 AM

@Drago 

Could you confirm the software version?

Drago
Level 1
Level 1
‎11-10-2023 06:14 AM

The Current version I am using is 7.0.5-72. I have staged the 7.2.5-208 but have not been approved to upgrade yet.

a118123
Level 1
Level 1
‎11-22-2023 07:02 PM

when executing pip3 install -r requirements.txt

error messge shows 

ERROR: Could not find a version that satisfies the requirement getpass (from versions: none)
ERROR: No matching distribution found for getpass

My python is 3.12.0 any idea?

Thanks.

Anupam Pavithran
Cisco Employee
Cisco Employee
‎11-22-2023 08:12 PM
Hello,

Looks like there was an oversight when creating the requirements.txt file.
We just need the 'requests' module; the rest are part of Python’s standard library.
I’ve updated the requirements.txt on GitHub, please retry and let me know.
//Anupam
a118123
Level 1
Level 1
‎11-22-2023 08:52 PM

You are correct. requests is the only add-on module I need.

Moreover, I would like to share that the command "python3 fdm-snmp.py" isn't work with following error message.
Python was not found; run without arguments to install from the Microsoft Store, or disable this shortcut from Settings > Manage App Execution Aliases.

 

Soon on after I try another command "python fdm-snmp.py" and it works.

 

Unfortunately, the python script only provide 2c and 3 version. Appreciate if adding support on SNMPv1

I understand there is a secuirty risk, but my client don't have plan to upgrade old SNMP yet.

 

Thank you.

Michael King
Level 1
Level 1
‎10-23-2024 01:21 PM

@a118123 , From a configuration point of view, there is no difference between SNMP v1 and SNMP v2.

Michael King
Level 1
Level 1
‎10-23-2024 01:26 PM

@Anupam Pavithran @Marvin Rhoads , .   Have either of you configured SNMPv3?  When I do so, I just get timeout's when I query the firewall (running 7.4.2).  Just looking for confirmation that SNMPv3 works for someone else.   SNMPv2 works fine.

I currently have a TAC case open on this. (The firewall response timing out, not the community provided script)

Michael King
Level 1
Level 1
‎10-24-2024 08:17 AM

Just following up on my own comment.  TAC is still researching, but I found these bugs resolved in 7.4.1

CSCwa72929

SNMPv3 polling may fail using privacy algorithms AES192/AES256

CSCwe73933

SNMPv3 polling may fail using privacy algorithms AES192/AES256

I followed the workarounds listed (Use SHA256 and AES128) and SNMPv3 worked.  Even though I'm on 7.4.2 it looks like these bugs re-appeared.  I've let TAC know, but I just wanted follow up that the script works fine for SNMPv3.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents