Sophos UTM 9.6 SNMP - queries and traps

The Simple Network Management Protocol (SNMP) is used to monitor and control network elements such as routers, servers or switches from a central station. SNMP allows an administrator to quickly get an overview of the status of the monitored network devices. Sophos UTM can be configured to respond to SNMP requests or send SNMP traps to SNMP management tools. The former is achieved with the help of so-called Management Information Bases (MIBs). A MIB defines what information can be retrieved about which network elements. Sophos UTM supports SNMP version 2 and 3 and the following MIBs:

• DISMAN-EVENT-MIB: Management Information Base for events.
• HOST-RESOURCES-MIB: management information base for host resources
• IF-MIB: Management Information Base for interface groups
• IP-FORWARD-MIB: Management Information Base for IP transfer table
• IF-MIB: Management Information Base for Internet Protocol (IP)
• NOTIFICATION-LOG-MIB: Management Information Base for Notification Protocols
• RFC1213-MIB: Management Information Base for network management of TCP/IP-based Internet: MIB II
• SNMPv2-MIB: Management Information Base for the Simple Network Management Protocol (SNMP)
• TCP-MIB: Management Information Base for the Transmission Control Protocol (TCP)
• UDP-MIB: Management Information Base for the User Datagram Protocol (UDP)

To obtain system information about Sophos UTM, you must use an SNMP manager that is compiled against at least the RFC1213 MIB (MIB II).

Requests

On the Management > SNMP > Query page, you can enable the use of SNMP queries.

To configure SNMP-queries, proceed as follows:

1. Enable SNMP queries. Click the slider. The sections SNMP version and SNMP access control can now be edited.

2. Select the SNMP version. In the SNMP Version section, select a version from the drop-down list. Authentication is required for SNMP version 3.

3. Select Allowed Networks. Networks in the Allowed networks field are allowed to make requests to the Sophos UTM SNMP agent. You should only add networks to Allowed networks that make requests to the SNMP agent. It is not advisable to add non-private networks to the list. Note that access is always read-only.

   • Community string: Enter a community string when using version 2. An SNMP community string serves as a kind of password for access to the SNMP agent. By default, "public" is preset as the SNMP community string. You can change this value according to your needs. The community string may consist of the following characters: (a-z), (A-Z), (0-9), (+), (_), (@), (.), (-), (space).

   • Username/Password: Authentication is required when using version 3. Enter a user name and password (second time to confirm) to allow the remote administrator to send requests. The password must be at least eight characters long. SNMP v3 uses SHA for authentication and AES for encryption. Note that username/password are used for both.

4. Click Apply. Your settings are saved.

You can also specify additional information about the UTM.

Device information

With the input fields in the Device Information section, you can describe the UTM in more detail, e.g. by specifying a device name, the location or the responsible administrator. This information can be read by SNMP management programmes and helps to identify the UTM.

Note: Please note that all SNMP traffic (protocol version 2) between the UTM and the Authorised Networks is unencrypted and can be read when transferred over public networks.

In this section you can download the Astaro Notifier MIB which contains the Sophos UTM SNMP notification definitions based on your current notification trap settings. For historical reasons, MIP uses the Astaro Private Enterprise Code (SNMPv2-SMI::enterprises.astaro).

Traps

On the Traps tab, you can select an SNMP trap server to which notifications about relevant events on the UTM can be sent by trap. SNMP-trap about relevant events on the UTM. Note that special SNMP monitoring software is required to display the traps.

The messages sent as SNMP traps contain a so-called object identifier (OID), e.g. .1.3.6.1.4.1.9789, which belongs to the private company numbers assigned by the IANA. Here .1.3.6.1.4.1 is the prefix that stands for iso.org.dod.internet.private.enterprise, while 9789 is the private enterprise number of Astaro GmbH & Co KG. The OID for notifications is 1500, which in turn has the OIDs of the notification type and the associated error code(000-999) appended to it. The following notification types are available:

• DEBUG = 0
• INFO = 1
• WARN = 2
• CRIT = 3

Example: The notification "INFO-302: New firmware Up2Date installed" uses the OID .1.3.6.1.4.1.9789.1500.1.302 and is assigned the following label:

[<HOST>][INFO][302] 

Note that <HOST> is a placeholder for the host name, and that only the type and error code from the notification subject line are transmitted.

To select an SNMP v2c trap server, follow the steps below:

1. Click New SNMP Trap Server.v The SNMP Trap Server dialogue box opens.

2. Make the following settings:

   SNMP Version: Select SNMP v2c from the drop-down list.

   Host: The host definition for the SNMP trap server.

   Community: An SNMP community string serves as a kind of password for access to query SNMP messages. By default, "public" is preset as the SNMP community string. Enter the community string configured on the SNMP trap server here. The community string may consist of the following characters: (a-z), (A-Z), (0-9), (+), (_), (@), (.), (-), (space).

   Comment (optional): Add a description or other information.

3. Click Save. The new SNMP trap server is displayed on the Traps tab.

Authentication is required for SNMP version 3. To select an SNMP v3 trap server, follow the steps below:

1. Click New SNMP Trap Server. The SNMP Trap Server dialogue box opens.

2. Make the following settings:

   SNMP Version: Select SNMP v3 from the drop-down list.

   Host: The host definition for the SNMP trap server.

   User Name: Enter a user name for authentication.

   Auth. method: Select an authentication method from the drop-down list.

   Password: Enter a password for authentication.

   Repeat: Repeat the password.

   Encryption Type: Select an encryption type from the drop-down list.

   Password: Specify a password for encryption.

   Repeat: Repeat the password.

   Engine ID: Specify the engine ID.

   Comment (optional): Add a description or other information.

3. Click Save. The new SNMP trap server is displayed on the Traps tab.