The PIX Security Appliance provides support for network monitoring using
SNMP V1 and V2c. The PIX supports traps and SNMP read access, but does not
support SNMP write access.
SNMP Example
In Figure
, the NMS uses a
Get operation to request management information contained in an agent on host
172.18.0.15. Within the Get request, the NMS includes a complete Object
Identifier (OID) so that the agent knows exactly what is being sought. The
response from the agent contains a variable binding containing the same OID and
the data associated with it. The NMS then uses a Set request to tell the agent
to change a piece of information. In an unrelated communication, host
172.16.0.2 sends a trap to the NMS because some urgent condition has
occurred.
Enable SNMP
The SNMP agent that runs on the PIX
Security Appliance performs two functions:
- Replies to SNMP requests from NMSs.
- Sends traps to NMSs.
To enable the SNMP agent and identify an NMS that can connect to the
PIX Security Appliance, follow these steps:
Step 1
Identify
the IP address of the NMS that can connect to the PIX Security Appliance with
the snmp-server host interface_name ip_address
[trap | poll] [community text] [version 1 |
2c] [udp-port port] global configuration
command. Specify trap or poll to limit
the NMS to receiving traps only or browsing only. By default, the NMS can use
both functions.
SNMP traps are sent on UDP port 162 by default. The port
number can be changed by using the udp-port keyword.
Step 2
Specify the community string with the snmp-server
community key global configuration command. The SNMP
community string is a shared secret between the PIX Security Appliance and the
NMS. The key is a case-sensitive value up to 32 characters
in length. Spaces are not permitted.
Step 3
(Optional) Set the
SNMP server location or contact information with the snmp-server
{contact | location} text global configuration command.
Step 4
Enable the PIX Security Appliance to send traps to the NMS
with the snmp-server enable [traps [all | feature
[trap1] [trap2]] [...]] global
configuration command. By default, SNMP core traps are enabled. If a trap type
is not entered in the command, syslog is the default. To
enable or disable all traps, enter the all option. For
snmp, each trap type can be identified separately.
Step 5
Enable system messages to be sent as traps to the NMSwith
the logging history level global configuration command.
Syslog traps must also be enabled using the preceding snmp-server
enable traps command.
Step 6
Enable logging, so
system messages are generated and can then be sent to an NMS, with the
logging on global configuration command.