Cisco Secure Firewall Device Manager - SNMP configuration using API - Page 3

Anupam Pavithran · ‎02-06-2021

Problem:

SNMP on FDM was introduced in version 6.7. As of now, we only have the option to push via API. The current method is time-consuming, and knowledge of API is needed.

Here is the current guide we have.
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/216551-configure-and-troubleshoot-snmp-on-firep.html

Solution

@Dinesh Verma and I created a script that automates the entire workflow using Python. You only need to enter the details pertaining to SNMPv2/SNMPv3; the script takes care of everything else. The script is available in the following GitHub repository.

https://github.com/anupamx47/FDM-SNMP/tree/main

1) Preparation:

1.Download the Script:

Go to the script's GitHub page: fdm-snmp.py.
Click the "Download Zip" button, under "code" to download the Python script to your computer.

2.Install Python:

Make sure you have Python installed on your computer. You can download and install the latest version of Python from the official Python website: Python Downloads. Follow the installation instructions for your operating system.

3.Install Required Dependencies:

Open a command prompt or terminal.
Navigate to the directory where you downloaded the script.
Run the following command to install the necessary dependencies:
pip3 install -r requirements.txt

4.Execute the Script:

Open a command prompt or terminal.
Navigate to the directory where you downloaded the script using the cd command.
Run the script using Python:
python3 fdm-snmp.py

****************************************************************************************************

2) Create SNMPv2 Host

C:\Users\anpavith\OneDrive\Desktop\scripts\FDM-SNMP> python3 fdm-snmp.py
###########################################################
# CONFIGURE SNMP ON FDM #
###########################################################
Enter the device IP address: 10.106.55.56
Enter the username of the FTD: admin
Enter the password of the FTD:
###########################################################
Auth-Status code is 200
Successfully Authenticated
Would you like to configure (1) SNMPv2 or (2) SNMPv3 : 1
Enter the SNMP Server object name : solar22
Enter the SNMP Server object IP : 22.22.22.22
Enter SNMPv2 community string : cisco123
###########################################################
1 diagnostic Management0/0
2 dmz GigabitEthernet0/2
3 inside GigabitEthernet0/1
4 outside GigabitEthernet0/0
Select the interface (Integer value only) : 4
Enter SNMP host object name : snmp22
###########################################################
Successfully Created, please deploy and check SNMP config
###########################################################

3) Create SNMPv3 Host along with SNMPv3 user

C:\Users\anpavith\OneDrive\Desktop\scripts\FDM-SNMP> python3 .\fdm-snmp.py
###########################################################
# CONFIGURE SNMP ON FDM #
###########################################################
Enter the device IP address: 10.106.55.56
Enter the username of the FTD: admin
Enter the password of the FTD:
###########################################################
Auth-Status code is 200
Successfully Authenticated
Would you like to configure (1) SNMPv2 or (2) SNMPv3 : 2
Enter the SNMP Server object name : solar21
Enter the SNMP Server object IP : 21.21.21.21
Enter SNMPv3 username : cisco21
Enter Security Level => Options ['AUTH', 'NOAUTH', 'PRIV'] : PRIV
Enter authentication Algorithm => Options ['SHA', 'SHA256'] : SHA
Enter authentication password : cisco123
Enter encryption Algorithm => Options ['AES128', 'AES192', 'AES256', '3DES'] : AES128
Enter encryption password : cisco123
###########################################################
1 diagnostic Management0/0
2 dmz GigabitEthernet0/2
3 inside GigabitEthernet0/1
4 outside GigabitEthernet0/0
Select the interface (Integer value only) : 4
Enter SNMP host object name : host21
###########################################################
Successfully Created, please deploy and check SNMP config
###########################################################

Please use the script and provide us with any feedback.

Anupam Pavithran · ‎11-10-2023

@Drago

Could you confirm the software version?

Drago · ‎11-10-2023

The Current version I am using is 7.0.5-72. I have staged the 7.2.5-208 but have not been approved to upgrade yet.

a118123 · ‎11-22-2023

when executing pip3 install -r requirements.txt

error messge shows

ERROR: Could not find a version that satisfies the requirement getpass (from versions: none)
ERROR: No matching distribution found for getpass

My python is 3.12.0 any idea?

Thanks.

Anupam Pavithran · ‎11-22-2023

Hello,

Looks like there was an oversight when creating the requirements.txt file.
We just need the 'requests' module; the rest are part of Python’s standard library.
I’ve updated the requirements.txt on GitHub, please retry and let me know.
//Anupam

a118123 · ‎11-22-2023

You are correct. requests is the only add-on module I need.

Moreover, I would like to share that the command "python3 fdm-snmp.py" isn't work with following error message.
Python was not found; run without arguments to install from the Microsoft Store, or disable this shortcut from Settings > Manage App Execution Aliases.

Soon on after I try another command "python fdm-snmp.py" and it works.

Unfortunately, the python script only provide 2c and 3 version. Appreciate if adding support on SNMPv1

I understand there is a secuirty risk, but my client don't have plan to upgrade old SNMP yet.

Thank you.

Michael King · ‎10-23-2024

@a118123 , From a configuration point of view, there is no difference between SNMP v1 and SNMP v2.

Michael King · ‎10-23-2024

@Anupam Pavithran @Marvin Rhoads , . Have either of you configured SNMPv3? When I do so, I just get timeout's when I query the firewall (running 7.4.2). Just looking for confirmation that SNMPv3 works for someone else. SNMPv2 works fine.

I currently have a TAC case open on this. (The firewall response timing out, not the community provided script)

Michael King · ‎10-24-2024

Just following up on my own comment. TAC is still researching, but I found these bugs resolved in 7.4.1

CSCwa72929	SNMPv3 polling may fail using privacy algorithms AES192/AES256
CSCwe73933	SNMPv3 polling may fail using privacy algorithms AES192/AES256

I followed the workarounds listed (Use SHA256 and AES128) and SNMPv3 worked. Even though I'm on 7.4.2 it looks like these bugs re-appeared. I've let TAC know, but I just wanted follow up that the script works fine for SNMPv3.