Chapter 32. Managing the Network Management Agent
Prev Part V. Managing Additional Firewall Services Next

Chapter 32. Managing the Network Management Agent

Network management and monitoring are crucial in today's increasingly complex and heterogeneous network environment. Swift detection and response to a failing mission-critical networked resource can prevent considerable financial losses. Most of today's network management platforms use the industry-standard Simple Network Management Protocol (SNMP) to communicate with resources being managed. The Gauntlet Firewall includes an SNMP agent that provides a limited amount of information to SNMP managers. The SNMP agent can be used to obtain information about the firewall such as its DNS name and the IP addresses of the firewall's interfaces.

Note: The Gauntlet Firewall also includes an SNMP proxy. Refer to Chapter 13, “Managing Network Management Services,” for more information on the SNMP proxy.

This chapter discusses the concepts behind the SNMP agent, explains how it works, how to configure and start the agent, and lists steps for configuring a selection of network management products to use the SNMP agent with Gauntlet Firewalls. The chapter consists of the following sections:

Understanding the SNMP Agent

The SNMP agent is a daemon running on the firewall that accepts queries from SNMP managers. These queries must be SNMP version 1, defined by RFC 1157. You can configure the agent to allow queries from SMNP managers based on:

  • source IP address

  • source hostname

How the SNMP Agent Works

The firewall runs an instance of the SNMP agent (snmpd) as a daemon listening on a configurable port (by default, UDP port 1610). When the agent receives a query, it checks its configuration information and determines whether the initiating host has permission to access the agent. If the initiating host does not have permission to query the agent, the agent logs the attempt and drops the SNMP packet. If the host has permission, the agent responds using standard SNMP responses.

If the manager provides incorrect community information, the agent also logs the request and discards the packet. If the manager requests an unsupported MIB object, the agent provides the appropriate SNMP response.

The agent does not listen on the standard SNMP port (UDP port 161) because the Gauntlet Firewall also includes an SNMP proxy that uses the SNMP port. If you are not using the SNMP proxy, you can run the SNMP agent on the SNMP port.

Accessing SNMP Agent Configuration

To access the SNMP agent configuration:

  1. From within the Gauntlet Firewall Manager, select Environment.

  2. Click the SNMP Agent tab.

    The SNMP Agent window displays.

    Figure 32-1. SNMP Agent Window


Configuring the Firewall as an SNMP Agent

Configuring the Gauntlet Firewall involves planning, configuring proxy settings, and enabling the agent.

Planning SNMP Agent Settings

When planning the SNMP agent settings:

  1. Determine which SNMP manager should receive the cold start manager sent by the agent. Ensure that you have the IP address of that host.

  2. Decide which SNMP managers can use the SNMP agent and create the appropriate network groups.

Configuring SNMP Agent Settings

To configure SNMP agent settings, provide information about the agent on the SNMP Agent window:

SNMP Manager

IP address of the SNMP manager that can communicate with the agent on the Gauntlet Firewall.

Firewall Name

Name of the firewall that the SNMP agent reports to the SNMP manager. By default, this is the host name of the firewall.


Note: Some network management software (such as HP OpenView and CA Unicenter TNG) use the ping program to verify that an agent is reachable before they send the actual SNMP request. Such management programs may also try to ping all interfaces on a system. By default, the firewall responds to pings of the directly connected interface, but does not respond to ping traffic for other interfaces. If your network management software uses the ping program to ping all interfaces, you may want to add packet screening rules to your firewall. These rules must allow ICMP between the network manager and the other interfaces of the firewall.

Enabling the SNMP Agent

To enable the SNMP agent:

  1. In the SNMP Agent window, click Enabled.

  2. Add the SNMP agent to the service group that controls access to the firewall for the network containing the SNMP network manager.

  3. Before exiting the Gauntlet Firewall Manager, save and apply your changes.

    The next time you reboot your firewall, the firewall enables the SNMP agent.

Configuring SNMP Network Managers

To configure your network manager, configure the network manager so that it looks for the agent on the firewall on UDP port 1610 instead of 161.

Understanding SNMP Agent Replies

The Gauntlet Firewall uses standard SNMP responses. Refer to your SNMP documentation for more detailed explanations. This section lists the types of responses the Gauntlet Firewall agent provides.

SNMP Agent and Management Information Base

The SNMP agent currently supports a small subset of the management information base (MIB) defined in RFC 1213 (MIB-II). The agent provides the following MIB values:

  • all the mib-2.system values

  • all the mib-2.snmp values

  • mib-2.interfaces.ifNumber

  • mib-2.ip.ipAddrTable values

All of the values that the agent supports are read-only values. An SNMP manager cannot set these values using SNMP. Some of the mib-2.system values are configurable through the Gauntlet Firewall Manager. The agent provides all of the supported values regardless of the community the agent is in.

SNMP Agent Community

The agent can be a member of the following communities:

  • public

  • private

  • regional

  • proxy

  • core

SNMP Agent Object ID

The value provided for the mib-2.system.sysObjectID object is .1.3.6.1.4.1.602.1.1.1.5.1.

Trap

The Gauntlet Firewall sends only one trap, the cold start trap.

Prev Table of Contents Next
Chapter 31. Managing URL Filtering  Chapter 33. Login Shell