Using SNMP Responses
License: Protection
An SNMP trap is a network management notification. You can configure the device to send intrusion event notifications as SNMP traps, also known as SNMP alerts . Each SNMP alert includes:
-
the name of the server generating the trap
-
the IP address of the device that detected it
-
the name of the device that detected it
-
the event data
You can set a variety of SNMP alerting parameters. Available parameters vary depending on the version of SNMP you use. For details on enabling and disabling SNMP alerting, see Configuring Advanced Settings in an Intrusion Policy.
Tip |
If your network management system requires a management information base file (MIB), you can obtain it from the ASA FirePOWER module at /etc/sf/DCEALERT.MIB . |
SNMP v2 Options
For SNMP v2, you can specify the options described in the following table.
Option |
Description |
---|---|
Trap Type |
The trap type to use for IP addresses that appear in the alerts. If your network management system correctly renders the INET_IPV4 address type, then you can select as Binary. Otherwise, select as String. For example, HP Openview requires the string type. |
Trap Server |
The server that will receive SNMP traps notification. You can specify a single IP address or hostname. |
Community String |
The community name. |
Sensor ID |
The user-defined integer representing the managed device sending intrusion events as SNMP traps. |
SNMP v3 Options
For SNMP v3, you can specify the options described in the following table.
Note |
When using SNMP v3, the appliance uses an Engine ID value to encode the message. Your SNMP server requires this value to decode the message. Currently, this Engine ID value will always be the hexadecimal version of the appliance’s IP address with 01 at the end of the string. For example, if the appliance sending the SNMP alert has an IP address of 172.16.1.50 , the Engine ID is 0xAC10013201 or, if the appliance has an IP address of 10.1.1.77 , 0x0a01014D01 is used as the Engine ID. |
Option |
Description |
---|---|
Trap Type |
The trap type to use for IP addresses that appear in the alerts. If your network management system correctly renders the INET_IPV4 address type, then you can select as Binary. Otherwise, select as String. For example, HP Openview requires the string type. |
Trap Server |
The server that will receive SNMP traps notification. You can specify a single IP address or hostname. |
Authentication Password |
The password required for authentication. SNMP v3 uses either the Message Digest 5 (MD5) hash function or the Secure Hash Algorithm (SHA) hash function to encrypt this password, depending on configuration. If you specify an authentication password, authentication is enabled. |
Private Password |
The SNMP key for privacy. SNMP v3 uses the Data Encryption Standard (DES) block cipher to encrypt this password. If you specify a private password, privacy is enabled. If you specify a private password, you must also specify an authentication password. |
User Name |
Your SNMP user name. |
For information about configuring SNMP Alerting, see Using SNMP Responses.
Configuring SNMP Responses
License: Protection
You can configure SNMP alerting in an intrusion policy. After you apply the policy as part of an access control policy, the system notifies you of any intrusion events it detects via SNMP trap. For more details on SNMP alerting, see Configuring SNMP Responses.
To configure SNMP alerting options:
Procedure
Step 1 |
Select > > > .The Intrusion Policy page appears. |
||||
Step 2 |
Click the edit icon () next to the policy you want to edit. If you have unsaved changes in another policy, click OK to discard those changes and continue. See Resolving Conflicts and Committing Policy Changes for information on saving unsaved changes in another policy. The Policy Information page appears. |
||||
Step 3 |
Click Advanced Settings in the navigation panel on the left. The Advanced Settings page appears. |
||||
Step 4 |
You have two choices, depending on whether SNMP Alerting under External Responses is enabled:
The SNMP Alerting page appears. A message at the bottom of the page identifies the intrusion policy layer that contains the configuration. See Using Layers in a Network Analysis or Intrusion Policy Layers for more information. |
||||
Step 5 |
Specify the trap type format that you want to use for IP addresses that appear in the alerts, as Binary or as String.
|
||||
Step 6 |
Select either SNMP v2 or SNMP v3:
|
||||
Step 7 |
Save your policy, continue editing, discard your changes, revert to the default configuration settings in the base policy, or exit while leaving your changes in the system cache. See Resolving Conflicts and Committing Policy Changes for more information. |